Role-based access control autogeneration in a cloud native software-defined network architecture

ABSTRACT

A network controller for a software-defined networking (SDN) architecture system may receive a request to generate an access control policy for a role in a container orchestration system, where the request specifies a plurality of functions. The network controller may execute the plurality of functions and may log execution of the plurality of functions in an audit log. The network controller may parse the audit log to determine a plurality of resources of the container orchestration system accessed from executing the plurality of functions and, for each resource of the plurality of resources, a respective one or more types of operations performed on the respective resource. The network controller may create, based at least in part on the parsed audit log, the access control policy for the role that permits a role to perform, on each of the plurality of resources, the respective one or more types of operations.

RELATED APPLICATION

This application claims the benefit of U.S. Provisional Application No.63/362,319, filed Mar. 31, 2022, and claims the benefit of IndianProvisional Application 202141044924, filed Oct. 4, 2021, the entirecontents of each of which is incorporated herein by reference.

TECHNICAL FIELD

The disclosure relates to virtualized computing infrastructure and, morespecifically, to access control policies for cloud native networking.

BACKGROUND

In a typical cloud data center environment, there is a large collectionof interconnected servers that provide computing and/or storage capacityto run various applications. For example, a data center may comprise afacility that hosts applications and services for subscribers, i.e.,customers of data center. The data center may, for example, host all ofthe infrastructure equipment, such as networking and storage systems,redundant power supplies, and environmental controls. In a typical datacenter, clusters of storage systems and application servers areinterconnected via high-speed switch fabric provided by one or moretiers of physical network switches and routers. More sophisticated datacenters provide infrastructure spread throughout the world withsubscriber support equipment located in various physical hostingfacilities.

Virtualized data centers are becoming a core foundation of the moderninformation technology (IT) infrastructure. In particular, modern datacenters have extensively utilized virtualized environments in whichvirtual hosts, also referred to herein as virtual execution elements,such virtual machines or containers, are deployed and executed on anunderlying compute platform of physical computing devices.

Virtualization within a data center or any environment that includes oneor more servers can provide several advantages. One advantage is thatvirtualization can provide significant improvements to efficiency. Asthe underlying physical computing devices (i.e., servers) have becomeincreasingly powerful with the advent of multicore microprocessorarchitectures with a large number of cores per physical CPU,virtualization becomes easier and more efficient. A second advantage isthat virtualization provides significant control over the computinginfrastructure. As physical computing resources become fungibleresources, such as in a cloud-based computing environment, provisioningand management of the computing infrastructure becomes easier. Thus,enterprise IT staff often prefer virtualized compute clusters in datacenters for their management advantages in addition to the efficiencyand increased return on investment (ROI) that virtualization provides.

Containerization is a virtualization scheme based on operationsystem-level virtualization. Containers are light-weight and portableexecution elements for applications that are isolated from one anotherand from the host. Because containers are not tightly-coupled to thehost hardware computing environment, an application can be tied to acontainer image and executed as a single light-weight package on anyhost or virtual host that supports the underlying containerarchitecture. As such, containers address the problem of how to makesoftware work in different computing environments. Containers offer thepromise of running consistently from one computing environment toanother, virtual or physical.

With containers' inherently lightweight nature, a single host can oftensupport many more container instances than traditional virtual machines(VMs). Often short-lived, containers can be created and moved moreefficiently than VMs, and they can also be managed as groups oflogically-related elements (sometimes referred to as “pods” for someorchestration platforms, e.g., Kubernetes). These containercharacteristics impact the requirements for container networkingsolutions: the network should be agile and scalable. VMs, containers,and bare metal servers may need to coexist in the same computingenvironment, with communication enabled among the diverse deployments ofapplications. The container network should also be agnostic to work withthe multiple types of orchestration platforms that are used to deploycontainerized applications.

A computing infrastructure that manages deployment and infrastructurefor application execution may involve two main roles: (1)orchestration—for automating deployment, scaling, and operations ofapplications across clusters of hosts and providing computinginfrastructure, which may include container-centric computinginfrastructure; and (2) network management—for creating virtual networksin the network infrastructure to enable packetized communication amongapplications running on virtual execution environments, such ascontainers or VMs, as well as among applications running on legacy(e.g., physical) environments. Software-defined networking contributesto network management.

SUMMARY

In general, techniques are described for generating role-based accesscontrol (RBAC) policies for a computer network implemented using acloud-native SDN architecture. A user, such as an administrator of thecomputer network, may request that a network controller generate anaccess control policy for a role by specifying functions of an APIprovided by the network controller. The network controller may executethe specified functions and may log the execution of the functions in anaudit log. The network controller may parse and/or filter the audit logto extract resources accessed by execution of the functions and arespective one or more operations performed on each of the resources byexecution of the functions. The network controller may thereforegenerate, based on the parsed and/or filtered audit log, an accesscontrol policy for the role that permits the role to perform therespective one or more operations performed on each of the resources.

In some examples, the SDN architecture of the computer network mayinclude data plane elements implemented in compute nodes, and networkdevices such as routers or switches, and the SDN architecture may alsoinclude a network controller for creating and managing virtual networks.The SDN architecture configuration and control planes are designed asscale-out cloud-native software with a container-based microservicesarchitecture that supports in-service upgrades. The configuration nodesfor the configuration plane may be implemented to expose using customresources. These custom resources for SDN architecture configuration mayinclude configuration elements conventionally exposed by a networkcontroller, but the configuration elements may be consolidated alongwith Kubernetes native/built-in resources to support a unified intentmodel, exposed by an aggregated API layer, that is realized byKubernetes controllers and by custom resource controller(s) that work toreconcile the actual state of the SDN architecture with the intendedstate.

A computer network implemented using the SDN architecture may be acomplex environment that includes hundreds or thousands of physicaland/or virtual components such as applications, virtual machines,virtual routers, virtual networks, subnets, domains, tenants, resources,and the like that communicate with each other as well as with externaldevices. In addition, resources may be hierarchical in nature, so thataccessing resources may also require accessing dependent resources. Assuch, it may be impracticable for a user (e.g., an administrator) tomanually determine the appropriate access control policies for a role toperform one or more workflows.

In some examples, if a user attempts to manually set an access policyfor a role, a user may be overinclusive or underinclusive in determiningthe operations that the role can perform on resources. If the user isoverinclusive when setting an access policy for the role, the user maygrant a role the ability to perform operations on a resource that maynot be required for the role to access functions of an API that the rolemay need to perform its work, which may lead to security issues. Inother examples, a user may, by mistake, not grant a role the ability toperform one or more operations that may need in order for the role toaccess functions of an API that the role may need to access, therebypotentially preventing users in the role from being able to successfullyperform their duties.

As such, the techniques described herein may provide for one or moretechnical advantages that lead to at least one practical application.For example, by creating an access policy based on functions of an API,the network controller of a computer network may be able to create anaccess policy for a role that prevents the role from performingoperations on resources in the computer network that are not required toperform the specified functions. As such the techniques described hereinmay improve the security of the computer network, when granting a rolepermission to perform operations on resources in order to perform one ormore functions of the API, by preventing mistakenly or accidentallygranting permissions to the role to perform operations on resources thatmay not be required to perform the specified functions.

In some aspects, the techniques described herein relate to a networkcontroller for a software-defined networking (SDN) architecture system,the network controller including: processing circuitry; and one or moreconfiguration nodes configured for execution by the processingcircuitry, wherein the one or more configuration nodes include anapplication programming interface (API) server to process requests foroperations on native resources of a container orchestration system andinclude a custom API server to process requests for operations on customresources for SDN architecture configuration, to: receive a request togenerate an access control policy for a role in a containerorchestration system, wherein the request specifies a plurality offunctions of an aggregated API provided by the custom API server and theAPI server; execute the plurality of functions; log execution of theplurality of functions in an audit log; parse the audit log to determinea plurality of resources of the container orchestration system accessedfrom executing the plurality of functions and, for each resource of theplurality of resources, a respective one or more types of operations ofa plurality of actions performed on the respective resource fromexecuting the plurality of functions; and create, based at least in parton the parsed audit log, the access control policy for the role thatpermits a role to perform, on each of the plurality of resources, therespective one or more types of operations.

In some aspects, the techniques described herein relate to a methodincluding: receiving, by processing circuitry of a network controllerfor a software-defined networking (SDN) architecture system, a requestto generate an access control policy for a role in a containerorchestration system, wherein the network controller includes anapplication programming interface (API) server to process requests foroperations on native resources of a container orchestration system and acustom API server to process requests for operations on custom resourcesfor SDN architecture configuration, and wherein the request specifies aplurality of functions of an aggregated API provided by the custom APIserver and the API server executing, by the processing circuitry, theplurality of functions; logging, by the processing circuitry, executionof the plurality of functions in an audit log; parsing, by theprocessing circuitry, the audit log to determine a plurality ofresources of the container orchestration system accessed from executingthe plurality of functions and, for each resource of the plurality ofresources, a respective one or more types of operations of a pluralityof actions performed on the respective resource from executing theplurality of functions; and creating, by the processing circuitry andbased at least in part on the parsed audit log, the access controlpolicy for the role that permits a role to perform, on each of theplurality of resources, the respective one or more types of operations.

In some aspects, the techniques described herein relate to anon-transitory computer-readable medium including instructions forcausing processing circuitry of a network controller that executes oneor more configuration nodes that include an application programminginterface (API) server to process requests for operations on nativeresources of a container orchestration system and include a custom APIserver to process requests for operations on custom resources for SDNarchitecture configuration to: receive a request to generate an accesscontrol policy for a role in a container orchestration system, whereinthe request specifies a plurality of functions of an aggregated APIprovided by the custom API server and the API server; execute theplurality of functions; log execution of the plurality of functions inan audit log; parse the audit log to determine a plurality of resourcesof the container orchestration system accessed from executing theplurality of functions and, for each resource of the plurality ofresources, a respective one or more types of operations of a pluralityof actions performed on the respective resource from executing theplurality of functions; and create, based at least in part on the parsedaudit log, the access control policy for the role that permits a role toperform, on each of the plurality of resources, the respective one ormore types of operations.

The details of one or more examples of this disclosure are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages will be apparent from the description anddrawings, and from the claims.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram illustrating an example computinginfrastructure in which examples of the techniques described herein maybe implemented.

FIG. 2 is a block diagram illustrating an example of a cloud-native SDNarchitecture for cloud native networking, in accordance with techniquesof this disclosure.

FIG. 3 is a block diagram illustrating another view of components of thecloud-native SDN architecture and in further detail, in accordance withtechniques of this disclosure.

FIG. 4 is a block diagram illustrating example components of acloud-native SDN architecture, in accordance with techniques of thisdisclosure.

FIG. 5 is a block diagram of an example computing device, according totechniques described in this disclosure.

FIG. 6 is a block diagram of an example computing device operating as acompute node for one or more clusters for a cloud-native SDNarchitecture system, in accordance with techniques of this disclosure.

FIG. 7A is a block diagram illustrating control/routing planes forunderlay network and overlay network configuration using a cloud-nativeSDN architecture, according to techniques of this disclosure.

FIG. 7B is a block diagram illustrating a configured virtual network toconnect pods using a tunnel configured in the underlay network,according to techniques of this disclosure.

FIG. 8 is a block diagram illustrating an example of a custom controllerfor custom resource(s) for a cloud-native SDN architectureconfiguration, according to techniques of this disclosure.

FIG. 9 is a block diagram illustrating an example flow of creation,watch, and reconciliation among custom resource types that havedependencies on different custom resource types.

FIG. 10 is a block diagram illustrating a visualization of exampleassociations between access control policies, roles, and subjects.

FIG. 11 is a flowchart illustrating an example operation of a networkcontroller in an SDN architecture in accordance with the techniques ofthe present disclosure

Like reference characters denote like elements throughout thedescription and figures.

DETAILED DESCRIPTION

FIG. 1 is a block diagram illustrating an example computinginfrastructure 8 in which examples of the techniques described hereinmay be implemented. Current implementations of software-definednetworking (SDN) architectures for virtual networks present challengesfor cloud-native adoption due to, e.g., complexity in life cyclemanagement, a mandatory high resource analytics component, scalelimitations in configuration modules, and no command-line interface(CLI)-based (kubectl-like) interface. Computing infrastructure 8includes a cloud-native SDN architecture system, described herein, thataddresses these challenges and modernizes for the telco cloud-nativeera. Example use cases for the cloud-native SDN architecture include 5Gmobile networks as well as cloud and enterprise cloud-native use cases.An SDN architecture may include data plane elements implemented incompute nodes (e.g., servers 12) and network devices such as routers orswitches, and the SDN architecture may also include an SDN controller(e.g., network controller 24) for creating and managing virtualnetworks. The SDN architecture configuration and control planes aredesigned as scale-out cloud-native software with a container-basedmicroservices architecture that supports in-service upgrades.

As a result, the SDN architecture components are microservices and, incontrast to existing network controllers, the SDN architecture assumes abase container orchestration platform to manage the lifecycle of SDNarchitecture components. A container orchestration platform is used tobring up SDN architecture components; the SDN architecture uses cloudnative monitoring tools that can integrate with customer provided cloudnative options; the SDN architecture provides declarative way ofresources using aggregation APIs for SDN architecture objects (i.e.,custom resources). The SDN architecture upgrade may follow cloud nativepatterns, and the SDN architecture may leverage Kubernetes constructssuch as Multus, Authentication & Authorization, Cluster API,KubeFederation, KubeVirt, and Kata containers. The SDN architecture maysupport data plane development kit (DPDK) pods, and the SDN architecturecan extend to support Kubernetes with virtual network policies andglobal security policies.

For service providers and enterprises, the SDN architecture automatesnetwork resource provisioning and orchestration to dynamically createhighly scalable virtual networks and to chain a virtualized networkfunctions (VNFs) and physical network functions (PNFs) to formdifferentiated service chains on demand. The SDN architecture may beintegrated with orchestration platforms (e.g., orchestrator 23) such asKubernetes, OpenShift, Mesos, OpenStack, VMware vSphere, and withservice provider operations support systems/business support systems(OSS/BSS).

In general, one or more data center(s) 10 provide an operatingenvironment for applications and services for customer sites 11(illustrated as “customers 11”) having one or more customer networkscoupled to the data center by service provider network 7. Each of datacenter(s) 10 may, for example, host infrastructure equipment, such asnetworking and storage systems, redundant power supplies, andenvironmental controls. Service provider network 7 is coupled to publicnetwork 15, which may represent one or more networks administered byother providers, and may thus form part of a large-scale public networkinfrastructure, e.g., the Internet. Public network 15 may represent, forinstance, a local area network (LAN), a wide area network (WAN), theInternet, a virtual LAN (VLAN), an enterprise LAN, a layer 3 virtualprivate network (VPN), an Internet Protocol (IP) intranet operated bythe service provider that operates service provider network 7, anenterprise IP network, or some combination thereof.

Although customer sites 11 and public network 15 are illustrated anddescribed primarily as edge networks of service provider network 7, insome examples, one or more of customer sites 11 and public network 15may be tenant networks within any of data center(s) 10. For example,data center(s) 10 may host multiple tenants (customers) each associatedwith one or more virtual private networks (VPNs), each of which mayimplement one of customer sites 11.

Service provider network 7 offers packet-based connectivity to attachedcustomer sites 11, data center(s) 10, and public network 15. Serviceprovider network 7 may represent a network that is owned and operated bya service provider to interconnect a plurality of networks. Serviceprovider network 7 may implement Multi-Protocol Label Switching (MPLS)forwarding and in such instances may be referred to as an MPLS networkor MPLS backbone. In some instances, service provider network 7represents a plurality of interconnected autonomous systems, such as theInternet, that offers services from one or more service providers.

In some examples, each of data center(s) 10 may represent one of manygeographically distributed network data centers, which may be connectedto one another via service provider network 7, dedicated network links,dark fiber, or other connections. As illustrated in the example of FIG.1 , data center(s) 10 may include facilities that provide networkservices for customers. A customer of the service provider may be acollective entity such as enterprises and governments or individuals.For example, a network data center may host web services for severalenterprises and end users. Other exemplary services may include datastorage, virtual private networks, traffic engineering, file service,data mining, scientific- or super-computing, and so on. Althoughillustrated as a separate edge network of service provider network 7,elements of data center(s) 10 such as one or more physical networkfunctions (PNFs) or virtualized network functions (VNFs) may be includedwithin the service provider network 7 core.

In this example, data center(s) 10 includes storage and/or computeservers (or “nodes”) interconnected via switch fabric 14 provided by oneor more tiers of physical network switches and routers, with servers12A-12X (herein, “servers 12”) depicted as coupled to top-of-rackswitches 16A-16N. Servers 12 are computing devices and may also bereferred to herein as “compute nodes,” “hosts,” or “host devices.”Although only server 12A coupled to TOR switch 16A is shown in detail inFIG. 1 , data center 10 may include many additional servers coupled toother TOR switches 16 of the data center 10.

Switch fabric 14 in the illustrated example includes interconnectedtop-of-rack (TOR) (or other “leaf”) switches 16A-16N (collectively, “TORswitches 16”) coupled to a distribution layer of chassis (or “spine” or“core”) switches 18A-18M (collectively, “chassis switches 18”). Althoughnot shown, data center 10 may also include, for example, one or morenon-edge switches, routers, hubs, gateways, security devices such asfirewalls, intrusion detection, and/or intrusion prevention devices,servers, computer terminals, laptops, printers, databases, wirelessmobile devices such as cellular phones or personal digital assistants,wireless access points, bridges, cable modems, application accelerators,or other network devices. Data center(s) 10 may also include one or morephysical network functions (PNFs) such as physical firewalls, loadbalancers, routers, route reflectors, broadband network gateways (BNGs),mobile core network elements, and other PNFs.

In this example, TOR switches 16 and chassis switches 18 provide servers12 with redundant (multi-homed) connectivity to IP fabric 20 and serviceprovider network 7. Chassis switches 18 aggregate traffic flows andprovides connectivity between TOR switches 16. TOR switches 16 may benetwork devices that provide layer 2 (MAC) and/or layer 3 (e.g., IP)routing and/or switching functionality. TOR switches 16 and chassisswitches 18 may each include one or more processors and a memory and canexecute one or more software processes. Chassis switches 18 are coupledto IP fabric 20, which may perform layer 3 routing to route networktraffic between data center 10 and customer sites 11 by service providernetwork 7. The switching architecture of data center(s) 10 is merely anexample. Other switching architectures may have more or fewer switchinglayers, for instance. IP fabric 20 may include one or more gatewayrouters.

The term “packet flow,” “traffic flow,” or simply “flow” refers to a setof packets originating from a particular source device or endpoint andsent to a particular destination device or endpoint. A single flow ofpackets may be identified by the 5-tuple: <source network address,destination network address, source port, destination port, protocol>,for example. This 5-tuple generally identifies a packet flow to which areceived packet corresponds. An n-tuple refers to any n items drawn fromthe 5-tuple. For example, a 2-tuple for a packet may refer to thecombination of <source network address, destination network address> or<source network address, source port> for the packet.

Servers 12 may each represent a compute server or storage server. Forexample, each of servers 12 may represent a computing device, such as anx86 processor-based server, configured to operate according totechniques described herein. Servers 12 may provide Network FunctionVirtualization Infrastructure (NFVI) for an NFV architecture.

Any server of servers 12 may be configured with virtual executionelements, such as pods or virtual machines, by virtualizing resources ofthe server to provide some measure of isolation among one or moreprocesses (applications) executing on the server. “Hypervisor-based” or“hardware-level” or “platform” virtualization refers to the creation ofvirtual machines that each includes a guest operating system forexecuting one or more processes. In general, a virtual machine providesa virtualized/guest operating system for executing applications in anisolated virtual environment. Because a virtual machine is virtualizedfrom physical hardware of the host server, executing applications areisolated from both the hardware of the host and other virtual machines.Each virtual machine may be configured with one or more virtual networkinterfaces for communicating on corresponding virtual networks.

Virtual networks are logical constructs implemented on top of thephysical networks. Virtual networks may be used to replace VLAN-basedisolation and provide multi-tenancy in a virtualized data center, e.g.,an of data center(s) 10. Each tenant or an application can have one ormore virtual networks. Each virtual network may be isolated from all theother virtual networks unless explicitly allowed by security policy.

Virtual networks can be connected to and extended across physicalMulti-Protocol Label Switching (MPLS) Layer 3 Virtual Private Networks(L3VPNs) and Ethernet Virtual Private Networks (EVPNs) networks using adata center 10 gateway router (not shown in FIG. 1 ). Virtual networksmay also be used to implement Network Function Virtualization (NFV) andservice chaining.

Virtual networks can be implemented using a variety of mechanisms. Forexample, each virtual network could be implemented as a Virtual LocalArea Network (VLAN), Virtual Private Networks (VPN), etc. A virtualnetwork can also be implemented using two networks—the physical underlaynetwork made up of IP fabric 20 and switching fabric 14 and a virtualoverlay network. The role of the physical underlay network is to providean “IP fabric,” which provides unicast IP connectivity from any physicaldevice (server, storage device, router, or switch) to any other physicaldevice. The underlay network may provide uniform low-latency,non-blocking, high-bandwidth connectivity from any point in the networkto any other point in the network.

As described further below with respect to virtual router 21(illustrated as and also referred to herein as “vRouter 21”), virtualrouters running in servers 12 create a virtual overlay network on top ofthe physical underlay network using a mesh of dynamic “tunnels” amongstthemselves. These overlay tunnels can be MPLS over GRE/UDP tunnels, orVXLAN tunnels, or NVGRE tunnels, for instance. The underlay physicalrouters and switches may not store any per-tenant state for virtualmachines or other virtual execution elements, such as any Media AccessControl (MAC) addresses, IP address, or policies. The forwarding tablesof the underlay physical routers and switches may, for example, onlycontain the IP prefixes or MAC addresses of the physical servers 12.(Gateway routers or switches that connect a virtual network to aphysical network are an exception and may contain tenant MAC or IPaddresses.)

Virtual routers 21 of servers 12 often contain per-tenant state. Forexample, they may contain a separate forwarding table (arouting-instance) per virtual network. That forwarding table containsthe IP prefixes (in the case of a layer 3 overlays) or the MAC addresses(in the case of layer 2 overlays) of the virtual machines or othervirtual execution elements (e.g., pods of containers). No single virtualrouter 21 needs to contain all IP prefixes or all MAC addresses for allvirtual machines in the entire data center. A given virtual router 21only needs to contain those routing instances that are locally presenton the server 12 (i.e., which have at least one virtual executionelement present on the server 12.)

“Container-based” or “operating system” virtualization refers to thevirtualization of an operating system to run multiple isolated systemson a single machine (virtual or physical). Such isolated systemsrepresent containers, such as those provided by the open-source DOCKERContainer application or by CoreOS Rkt (“Rocket”). Like a virtualmachine, each container is virtualized and may remain isolated from thehost machine and other containers. However, unlike a virtual machine,each container may omit an individual operating system and insteadprovide an application suite and application-specific libraries. Ingeneral, a container is executed by the host machine as an isolateduser-space instance and may share an operating system and commonlibraries with other containers executing on the host machine. Thus,containers may require less processing power, storage, and networkresources than virtual machines. A group of one or more containers maybe configured to share one or more virtual network interfaces forcommunicating on corresponding virtual networks.

In some examples, containers are managed by their host kernel to allowlimitation and prioritization of resources (CPU, memory, block I/O,network, etc.) without the need for starting any virtual machines, insome cases using namespace isolation functionality that allows completeisolation of an application's (e.g., a given container) view of theoperating environment, including process trees, networking, useridentifiers and mounted file systems. In some examples, containers maybe deployed according to Linux Containers (LXC), anoperating-system-level virtualization method for running multipleisolated Linux systems (containers) on a control host using a singleLinux kernel.

Servers 12 host virtual network endpoints for one or more virtualnetworks that operate over the physical network represented here by IPfabric 20 and switch fabric 14. Although described primarily withrespect to a data center-based switching network, other physicalnetworks, such as service provider network 7, may underlay the one ormore virtual networks.

Each of servers 12 may host one or more virtual execution elements eachhaving at least one virtual network endpoint for one or more virtualnetworks configured in the physical network. A virtual network endpointfor a virtual network may represent one or more virtual executionelements that share a virtual network interface for the virtual network.For example, a virtual network endpoint may be a virtual machine, a setof one or more containers (e.g., a pod), or another virtual executionelement(s), such as a layer 3 endpoint for a virtual network. The term“virtual execution element” encompasses virtual machines, containers,and other virtualized computing resources that provide an at leastpartially independent execution environment for applications. The term“virtual execution element” may also encompass a pod of one or morecontainers. Virtual execution elements may represent applicationworkloads. As shown in FIG. 1 , server 12A hosts one virtual networkendpoint in the form of pod 22 having one or more containers. However, aserver 12 may execute as many virtual execution elements as is practicalgiven hardware resource limitations of the server 12. Each of thevirtual network endpoints may use one or more virtual network interfacesto perform packet I/O or otherwise process a packet. For example, avirtual network endpoint may use one virtual hardware component (e.g.,an SR-IOV virtual function) enabled by NIC 13A to perform packet I/O andreceive/send packets on one or more communication links with TOR switch16A. Other examples of virtual network interfaces are described below.

Servers 12 each includes at least one network interface card (NIC) 13,which each includes at least one interface to exchange packets with TORswitches 16 over a communication link. For example, server 12A includesNIC 13A. Any of NICs 13 may provide one or more virtual hardwarecomponents 21 for virtualized input/output (I/O). A virtual hardwarecomponent for I/O maybe a virtualization of the physical NIC (the“physical function”). For example, in Single Root I/O Virtualization(SR-IOV), which is described in the Peripheral Component InterfaceSpecial Interest Group SR-IOV specification, the PCIe Physical Functionof the network interface card (or “network adapter”) is virtualized topresent one or more virtual network interfaces as “virtual functions”for use by respective endpoints executing on the server 12. In this way,the virtual network endpoints may share the same PCIe physical hardwareresources and the virtual functions are examples of virtual hardwarecomponents 21. As another example, one or more servers 12 may implementVirtio, a para-virtualization framework available, e.g., for the LinuxOperating System, that provides emulated NIC functionality as a type ofvirtual hardware component to provide virtual network interfaces tovirtual network endpoints. As another example, one or more servers 12may implement Open vSwitch to perform distributed virtual multilayerswitching between one or more virtual NICs (vNICs) for hosted virtualmachines, where such vNICs may also represent a type of virtual hardwarecomponent that provide virtual network interfaces to virtual networkendpoints. In some instances, the virtual hardware components arevirtual I/O (e.g., NIC) components. In some instances, the virtualhardware components are SR-IOV virtual functions. In some examples, anyserver of servers 12 may implement a Linux bridge that emulates ahardware bridge and forwards packets among virtual network interfaces ofthe server or between a virtual network interface of the server and aphysical network interface of the server. For Docker implementations ofcontainers hosted by a server, a Linux bridge or other operating systembridge, executing on the server, that switches packets among containersmay be referred to as a “Docker bridge.” The term “virtual router” asused herein may encompass a Contrail or Tungsten Fabric virtual router,Open vSwitch (OVS), an OVS bridge, a Linux bridge, Docker bridge, orother device and/or software that is located on a host device andperforms switching, bridging, or routing packets among virtual networkendpoints of one or more virtual networks, where the virtual networkendpoints are hosted by one or more of servers 12.

Any of NICs 13 may include an internal device switch to switch databetween virtual hardware components associated with the NIC. Forexample, for an SR-IOV-capable NIC, the internal device switch may be aVirtual Ethernet Bridge (VEB) to switch between the SR-IOV virtualfunctions and, correspondingly, between endpoints configured to use theSR-IOV virtual functions, where each endpoint may include a guestoperating system. Internal device switches may be alternatively referredto as NIC switches or, for SR-IOV implementations, SR-IOV NIC switches.Virtual hardware components associated with NIC 13A may be associatedwith a layer 2 destination address, which may be assigned by the NIC 13Aor a software process responsible for configuring NIC 13A. The physicalhardware component (or “physical function” for SR-IOV implementations)is also associated with a layer 2 destination address.

One or more of servers 12 may each include a virtual router 21 thatexecutes one or more routing instances for corresponding virtualnetworks within data center 10 to provide virtual network interfaces androute packets among the virtual network endpoints. Each of the routinginstances may be associated with a network forwarding table. Each of therouting instances may represent a virtual routing and forwardinginstance (VRF) for an Internet Protocol-Virtual Private Network(IP-VPN). Packets received by virtual router 21 of server 12A, forinstance, from the underlying physical network fabric of data center 10(i.e., IP fabric 20 and switch fabric 14) may include an outer header toallow the physical network fabric to tunnel the payload or “innerpacket” to a physical network address for a network interface card 13Aof server 12A that executes the virtual router. The outer header mayinclude not only the physical network address of the network interfacecard 13A of the server but also a virtual network identifier such as aVxLAN tag or Multiprotocol Label Switching (MPLS) label that identifiesone of the virtual networks as well as the corresponding routinginstance executed by virtual router 21. An inner packet includes aninner header having a destination network address that conforms to thevirtual network addressing space for the virtual network identified bythe virtual network identifier.

Virtual routers 21 terminate virtual network overlay tunnels anddetermine virtual networks for received packets based on tunnelencapsulation headers for the packets, and forwards packets to theappropriate destination virtual network endpoints for the packets. Forserver 12A, for example, for each of the packets outbound from virtualnetwork endpoints hosted by server 12A (e.g., pod 22), virtual router 21attaches a tunnel encapsulation header indicating the virtual networkfor the packet to generate an encapsulated or “tunnel” packet, andvirtual router 21 outputs the encapsulated packet via overlay tunnelsfor the virtual networks to a physical destination computing device,such as another one of servers 12. As used herein, virtual router 21 mayexecute the operations of a tunnel endpoint to encapsulate inner packetssourced by virtual network endpoints to generate tunnel packets anddecapsulate tunnel packets to obtain inner packets for routing to othervirtual network endpoints.

In some examples, virtual router 21 may be a kernel-based and execute aspart of the kernel of an operating system of server 12A.

In some examples, virtual router 21 may be a Data Plane Development Kit(DPDK)-enabled virtual router. In such examples, virtual router 21 usesDPDK as a data plane. In this mode, virtual router 21 runs as a userspace application that is linked to the DPDK library (not shown). Thisis a performance version of a virtual router and is commonly used bytelecommunications companies, where the VNFs are often DPDK-basedapplications. The performance of virtual router 21 as a DPDK virtualrouter can achieve ten times higher throughput than a virtual routeroperating as a kernel-based virtual router. The physical interface isused by DPDK's poll mode drivers (PMDs) instead of Linux kernel'sinterrupt-based drivers.

A user-I/O (UIO) kernel module, such as vfio or uio_pci_generic, may beused to expose a physical network interface's registers into user spaceso that they are accessible by the DPDK PMD. When NIC 13A is bound to aUIO driver, it is moved from Linux kernel space to user space andtherefore no longer managed nor visible by the Linux OS. Consequently,it is the DPDK application (i.e., virtual router 21A in this example)that fully manages the NIC 13. This includes packets polling, packetsprocessing, and packets forwarding. User packet processing steps may beperformed by the virtual router 21 DPDK data plane with limited or noparticipation by the kernel (kernel not shown in FIG. 1 ). The nature ofthis “polling mode” makes the virtual router 21 DPDK data plane packetprocessing/forwarding much more efficient as compared to the interruptmode, particularly when the packet rate is high. There are limited or nointerrupts and context switching during packet I/O.

Additional details of an example of a DPDK vRouter are found in “DAYONE: CONTRAIL DPDK vROUTER,” 2021, Kiran K N et al., Juniper Networks,Inc., which is incorporated by reference herein in its entirety.

Computing infrastructure 8 implements an automation platform forautomating deployment, scaling, and operations of virtual executionelements across servers 12 to provide virtualized infrastructure forexecuting application workloads and services. In some examples, theplatform may be a container orchestration system that provides acontainer-centric infrastructure for automating deployment, scaling, andoperations of containers to provide a container-centric infrastructure.“Orchestration,” in the context of a virtualized computinginfrastructure generally refers to provisioning, scheduling, andmanaging virtual execution elements and/or applications and servicesexecuting on such virtual execution elements to the host serversavailable to the orchestration platform. Container orchestration,specifically, permits container coordination and refers to thedeployment, management, scaling, and configuration, e.g., of containersto host servers by a container orchestration platform. Example instancesof orchestration platforms include Kubernetes (a container orchestrationsystem), Docker swarm, Mesos/Marathon, OpenShift, OpenStack, VMware, andAmazon ECS.

Elements of the automation platform of computing infrastructure 8include at least servers 12, orchestrator 23, and network controller 24.Containers may be deployed to a virtualization environment using acluster-based framework in which a cluster master node of a clustermanages the deployment and operation of containers to one or morecluster minion nodes of the cluster. The terms “master node” and “minionnode” used herein encompass different orchestration platform terms foranalogous devices that distinguish between primarily management elementsof a cluster and primarily container hosting devices of a cluster. Forexample, the Kubernetes platform uses the terms “cluster master” and“minion nodes,” while the Docker Swarm platform refers to clustermanagers and cluster nodes.

Orchestrator 23 and network controller 24 may execute on separatecomputing devices, execute on the same computing device. Each oforchestrator 23 and network controller 24 may be a distributedapplication that executes on one or more computing devices. Orchestrator23 and network controller 24 may implement respective master nodes forone or more clusters each having one or more minion nodes implemented byrespective servers 12 (also referred to as “compute nodes”).

In general, network controller 24 controls the network configuration ofthe data center 10 fabric to, e.g., establish one or more virtualnetworks for packetized communications among virtual network endpoints.Network controller 24 provides a logically and in some cases physicallycentralized controller for facilitating operation of one or more virtualnetworks within data center 10. In some examples, network controller 24may operate in response to configuration input received fromorchestrator 23 and/or an administrator/operator. Additional informationregarding example operations of a network controller 24 operating inconjunction with other devices of data center 10 or othersoftware-defined network is found in International Application NumberPCT/US2013/044378, filed Jun. 5, 2013, and entitled “PHYSICAL PATHDETERMINATION FOR VIRTUAL NETWORK PACKET FLOWS;” and in U.S. patentapplication Ser. No. 14/226,509, filed Mar. 26, 2014, and entitled“Tunneled Packet Aggregation for Virtual Networks,” each which isincorporated by reference as if fully set forth herein.

In general, orchestrator 23 controls the deployment, scaling, andoperations of containers across clusters of servers 12 and providingcomputing infrastructure, which may include container-centric computinginfrastructure. Orchestrator 23 and, in some cases, network controller24 may implement respective cluster masters for one or more Kubernetesclusters. As an example, Kubernetes is a container management platformthat provides portability across public and private clouds, each ofwhich may provide virtualization infrastructure to the containermanagement platform. Example components of a Kubernetes orchestrationsystem are described below with respect to FIG. 3 .

In one example, pod 22 is a Kubernetes pod and an example of a virtualnetwork endpoint. A pod is a group of one or more logically-relatedcontainers (not shown in FIG. 1 ), the shared storage for thecontainers, and options on how to run the containers. Where instantiatedfor execution, a pod may alternatively be referred to as a “podreplica.” Each container of pod 22 is an example of a virtual executionelement. Containers of a pod are always co-located on a single server,co-scheduled, and run in a shared context. The shared context of a podmay be a set of Linux namespaces, cgroups, and other facets ofisolation. Within the context of a pod, individual applications mighthave further sub-isolations applied. Typically, containers within a podhave a common IP address and port space and are able to detect oneanother via the localhost. Because they have a shared context,containers within a pod are also communicate with one another usinginter-process communications (IPC). Examples of IPC include SystemVsemaphores or POSIX shared memory. Generally, containers that aremembers of different pods have different IP addresses and are unable tocommunicate by IPC in the absence of a configuration for enabling thisfeature. Containers that are members of different pods instead usuallycommunicate with each other via pod IP addresses.

Server 12A includes a container platform 19 for running containerizedapplications, such as those of pod 22. Container platform 19 receivesrequests from orchestrator 23 to obtain and host, in server 12A,containers. Container platform 19 obtains and executes the containers.

Container network interface (CNI) 17 configures virtual networkinterfaces for virtual network endpoints. The orchestrator 23 andcontainer platform 19 use CNI 17 to manage networking for pods,including pod 22. For example, CNI 17 creates virtual network interfacesto connect pods to virtual router 21 and enables containers of such podsto communicate, via the virtual network interfaces, to other virtualnetwork endpoints over the virtual networks. CNI 17 may, for example,insert a virtual network interface for a virtual network into thenetwork namespace for containers in pod 22 and configure (or request toconfigure) the virtual network interface for the virtual network invirtual router 21 such that virtual router 21 is configured to sendpackets received from the virtual network via the virtual networkinterface to containers of pod 22 and to send packets received via thevirtual network interface from containers of pod 22 on the virtualnetwork. CNI 17 may assign a network address (e.g., a virtual IP addressfor the virtual network) and may set up routes for the virtual networkinterface. In Kubernetes, by default all pods can communicate with allother pods without using network address translation (NAT). In somecases, the orchestrator 23 and network controller 24 create a servicevirtual network and a pod virtual network that are shared by allnamespaces, from which service and pod network addresses are allocated,respectively. In some cases, all pods in all namespaces that are spawnedin the Kubernetes cluster may be able to communicate with one another,and the network addresses for all of the pods may be allocated from apod subnet that is specified by the orchestrator 23. When a user createsan isolated namespace for a pod, orchestrator 23 and network controller24 may create a new pod virtual network and new shared service virtualnetwork for the new isolated namespace. Pods in the isolated namespacethat are spawned in the Kubernetes cluster draw network addresses fromthe new pod virtual network, and corresponding services for such podsdraw network addresses from the new service virtual network

CNI 17 may represent a library, a plugin, a module, a runtime, or otherexecutable code for server 12A. CNI 17 may conform, at least in part, tothe Container Network Interface (CNI) specification or the rktNetworking Proposal. CNI 17 may represent a Contrail, OpenContrail,Multus, Calico, cRPD, or other CNI. CNI 17 may alternatively be referredto as a network plugin or CNI plugin or CNI instance. Separate CNIs maybe invoked by, e.g., a Multus CNI to establish different virtual networkinterfaces for pod 22.

CNI 17 may be invoked by orchestrator 23. For purposes of the CNIspecification, a container can be considered synonymous with a Linuxnetwork namespace. What unit this corresponds to depends on a particularcontainer runtime implementation: for example, in implementations of theapplication container specification such as rkt, each pod runs in aunique network namespace. In Docker, however, network namespacesgenerally exist for each separate Docker container. For purposes of theCNI specification, a network refers to a group of entities that areuniquely addressable and that can communicate amongst each other. Thiscould be either an individual container, a machine/server (real orvirtual), or some other network device (e.g. a router). Containers canbe conceptually added to or removed from one or more networks. The CNIspecification specifies a number of considerations for a conformingplugin (“CNI plugin”).

Pod 22 includes one or more containers. In some examples, pod 22includes a containerized DPDK workload that is designed to use DPDK toaccelerate packet processing, e.g., by exchanging data with othercomponents using DPDK libraries. Virtual router 21 may execute as acontainerized DPDK workload in some examples.

Pod 22 is configured with virtual network interface 26 for sending andreceiving packets with virtual router 21. Virtual network interface 26may be a default interface for pod 22. Pod 22 may implement virtualnetwork interface 26 as an Ethernet interface (e.g., named “eth0”) whilevirtual router 21 may implement virtual network interface 26 as a tapinterface, virtio-user interface, or other type of interface.

Pod 22 and virtual router 21 exchange data packets using virtual networkinterface 26. Virtual network interface 26 may be a DPDK interface. Pod22 and virtual router 21 may set up virtual network interface 26 usingvhost. Pod 22 may operate according to an aggregation model. Pod 22 mayuse a virtual device, such as a virtio device with a vhost-user adapter,for user space container inter-process communication for virtual networkinterface 26.

CNI 17 may configure, for pod 22, in conjunction with one or more othercomponents shown in FIG. 1 , virtual network interface 26. Any of thecontainers of pod 22 may utilize, i.e., share, virtual network interface26 of pod 22.

Virtual network interface 26 may represent a virtual ethernet (“veth”)pair, where each end of the pair is a separate device (e.g., aLinux/Unix device), with one end of the pair assigned to pod 22 and oneend of the pair assigned to virtual router 21. The veth pair or an endof a veth pair are sometimes referred to as “ports”. A virtual networkinterface may represent a macvlan network with media access control(MAC) addresses assigned to pod 22 and to virtual router 21 forcommunications between containers of pod 22 and virtual router 21.Virtual network interfaces may alternatively be referred to as virtualmachine interfaces (VMIs), pod interfaces, container network interfaces,tap interfaces, veth interfaces, or simply network interfaces (inspecific contexts), for instance.

In the example server 12A of FIG. 1 , pod 22 is a virtual networkendpoint in one or more virtual networks. Orchestrator 23 may store orotherwise manage configuration data for application deployments thatspecifies a virtual network and specifies that pod 22 (or the one ormore containers therein) is a virtual network endpoint of the virtualnetwork. Orchestrator 23 may receive the configuration data from a user,operator/administrator, or other machine system, for instance.

As part of the process of creating pod 22, orchestrator 23 requests thatnetwork controller 24 create respective virtual network interfaces forone or more virtual networks (indicated in the configuration data). Pod22 may have a different virtual network interface for each virtualnetwork to which it belongs. For example, virtual network interface 26may be a virtual network interface for a particular virtual network.Additional virtual network interfaces (not shown) may be configured forother virtual networks. Network controller 24 processes the request togenerate interface configuration data for virtual network interfaces forthe pod 22. Interface configuration data may include a container or podunique identifier and a list or other data structure specifying, foreach of the virtual network interfaces, network configuration data forconfiguring the virtual network interface. Network configuration datafor a virtual network interface may include a network name, assignedvirtual network address, MAC address, and/or domain name server values.An example of interface configuration data in JavaScript Object Notation(JSON) format is below.

Network controller 24 sends interface configuration data to server 12Aand, more specifically in some cases, to virtual router 21. To configurea virtual network interface for pod 22, orchestrator 23 may invoke CNI17. CNI 17 obtains the interface configuration data from virtual router21 and processes it. CNI 17 creates each virtual network interfacespecified in the interface configuration data. For example, CNI 17 mayattach one end of a veth pair implementing management interface 26 tovirtual router 21 and may attach the other end of the same veth pair topod 22, which may implement it using virtio-user.

The following is example interface configuration data for pod 22 forvirtual network interface 26.

[{  // virtual network interface 26  ″id″:″fe4bab62-a716-11e8-abd5-0cc47a698428″,  ″instance-id″:″fe3edca5-a716-lle8-822c-0cc47a698428″  ″ip-address″: ″10.47.255.250″, ″plen″: 12,  ″vn-id″: ″56dda39c-5e99-4a28-855e-6ce378982888″, ″vm-project-id″: ″00000000-0000-0000-0000-000000000000″, ″mac-address″: ″02:fe:4b:ab:62:a7″,  ″system-name″: ″tapeth0fe3edca″, ″rx-vlan-id″: 65535,  ″tx-vlan-id″: 65535,  ″vhostuser-mode″: 0, “v6-ip-address”: “::“,  “v6-plen”: ,  “v6-dns-server”: “::”, “v6-gateway”: “::”,  ″dns-server″: ″10.47.255.253″,  ″gateway″:″10.47.255.254″,  ″author″: ″/usr/bin/contrail-vrouter-agent″,  ″time″:″426404:56:19.863169″ }]

A conventional CNI plugin is invoked by a container platform/runtime,receives an Add command from the container platform to add a containerto a single virtual network, and such a plugin may subsequently beinvoked to receive a Del(ete) command from the container/runtime andremove the container from the virtual network. The term “invoke” mayrefer to the instantiation, as executable code, of a software componentor module in memory for execution by processing circuitry.

Network controller 24 is a cloud-native, distributed network controllerfor software-defined networking (SDN) that is implemented using one ormore configuration nodes 30 and one or more control nodes 32. Each ofconfiguration nodes 30 may itself be implemented using one or morecloud-native, component microservices. Each of control nodes 32 mayitself be implemented using one or more cloud-native, componentmicroservices.

In some examples, and as described in further detail below,configuration nodes 30 may be implemented by extending the nativeorchestration platform to support custom resources for the orchestrationplatform for software-defined networking and, more specifically, forproviding northbound interfaces to orchestration platforms to supportintent-driven/declarative creation and managing of virtual networks by,for instance, configuring virtual network interfaces for virtualexecution elements, configuring underlay networks connecting servers 12,configuring overlay routing functionality including overlay tunnels forthe virtual networks and overlay trees for multicast layer 2 and layer3.

Network controller 24, as part of the SDN architecture illustrated inFIG. 1 , may be multi-tenant aware and support multi-tenancy fororchestration platforms. For example, network controller 24 may supportKubernetes Role Based Access Control (RBAC) constructs, local identityaccess management (IAM) and external IAM integrations. Networkcontroller 24 may also support Kubernetes-defined networking constructsand advanced networking features like virtual networking, BGPaaS,networking policies, service chaining and other telco features. Networkcontroller 24 may support network isolation using virtual networkconstructs and support layer 3 networking.

To interconnect multiple virtual networks, network controller 24 may use(and configure in the underlay and/or virtual routers 21) networkpolicies, referred to as Virtual Network Policy (VNP) and alternativelyreferred to herein as Virtual Network Router or Virtual NetworkTopology. The VNP defines connectivity policy between virtual networks.A single network controller 24 may support multiple Kubernetes clusters,and VNP thus allows connecting multiple virtual networks in a namespace,Kubernetes cluster and across Kubernetes clusters. VNP may also extendto support virtual network connectivity across multiple instances ofnetwork controller 24.

Network controller 24 may enable multi layers of security using networkpolicies. The Kubernetes default behavior is for pods to communicatewith one another. In order to apply network security policies, the SDNarchitecture implemented by network controller 24 and virtual router 21may operate as a CNI for Kubernetes through CNI 17. For layer 3,isolation occurs at the network level and virtual networks operate atL3. Virtual networks are connected by policy. The Kubernetes nativenetwork policy provides security at layer 4. The SDN architecture maysupport Kubernetes network policies. Kubernetes network policy operatesat the Kubernetes namespace boundary. The SDN architecture may addcustom resources for enhanced network policies. The SDN architecture maysupport application-based security. (These security policies can in somecases be based upon metatags to apply granular security policy in anextensible manner.) For layer 4+, the SDN architecture may in someexamples support integration with containerized security devices and/orIstio and may provide encryption support.

Network controller 24, as part of the SDN architecture illustrated inFIG. 1 , may support multi-cluster deployments, which is important fortelco cloud and high-end enterprise use cases. The SDN architecture maysupport multiple Kubernetes clusters, for instance. A Cluster API can beused to support life cycle management of Kubernetes clusters. KubefedV2can be used for configuration nodes 30 federation across Kubernetesclusters. Cluster API and KubefedV2 are optional components forsupporting a single instance of a network controller 24 supportingmultiple Kubernetes clusters.

The SDN architecture may provide insights at infrastructure, cluster,and application using web user interface and telemetry components.Telemetry nodes may be cloud-native and include microservices to supportinsights.

Role-based access control (RBAC) may be one role-based technique forrestricting and monitor users' access within computer infrastructure 8.Computer infrastructure 8 (e.g., via network controller 24) may beconfigured with one or more roles, each of which may be assigned to oneor more users and/or services. Roles assigned to a user or service maydetermine services provided to the user or service, applications theuser or service is permitted to access within computer infrastructure 8,admin privileges the user or service has within computer infrastructure8, or any combination thereof. Each role may be associated with anaccess control policy that specifies the associated role's permission toperform certain operations and/or access certain objects and/orresources within computer infrastructure 8. For example, an accesscontrol policy for a role may specify one or more objects and/orresources within computer infrastructure 8 on which the role is allowedto perform one or more operations and that may also specify, for each ofthe one or more objects and/or resources specified in the policy, theone or more operations that the role is allowed to perform on theobject.

In some examples, an access control policy for a role may specify, forone or more objects or resources in computer infrastructure 8, one ormore of create, read, update, and delete (CRUD) operations that the roleis permitted to perform on the object or resource. In some examples, anaccess control policy may act as a whitelist in that the access controlpolicy may specify the objects and/or operations that the role is ableto access and/or perform, but may refrain from specifying the objectsand/or operations that the role is not able to access. For example, ifan access control policy does not specify a particular object withincomputer infrastructure 8, then the role associated with the accesscontrol policy may not be able to perform any operations on the object.In another example, if an access control policy specifies one or moreoperations that the role is able to perform on an object within computerinfrastructure 8, but does not specify a particular operation that therole is able to perform on the object, then the role associated with theaccess control policy may only be able to perform the one or morespecified operations on the object but may not be able to perform theparticular operation on the object.

In some examples, an administrator (e.g., a user) may manually createand/or modify access control policies for roles in order to specify theobjects within computer infrastructure 8 that the role is permitted toaccess and the operations that the role is permitted to perform on thosespecified objects. The administrator may interact with a user interface,such as a graphical user interface, that is presented by a userinterface device, such as by providing user input at the user interfacedevice, to specify, for a role, permissions to access objects andperform operations within computer infrastructure 8. For example, theadministrator may provide user input to select one or more objects incomputer infrastructure 8 on which the role is permitted to perform oneor more operations and may provide input to specify one or moreoperations, such as one or more of CRUD operations, for each of theobjects selected by the administrator.

While manually creating access control policies for generic high-levelroles such as for a cloud administrator or a tenant administrator may berelatively easy and straightforward because the administrator may beable to simply specify that a role for a cloud administrator ispermitted to perform all of the CRUD operations on all objects in, forexample, computer infrastructure 8 in the case of a role for a cloudadministrator or a particular tenant in the case of a tenantadministrator, it may be harder for the administrator to manually createmore fine-grained access control policies at the individual object levelin computer infrastructure 8.

For example, some functions performed by computer infrastructure 8 mayinclude performing operations on tens, hundreds, or thousands ofdifferent objects and resources within computer infrastructure 8. Assuch, the administrator may have to manually select the access controlpolicies for tens, hundreds, or thousands of objects and resourceswithin computer infrastructure 8 in order to create an access controlpolicy for a role that performs such functions. In addition, becauseusers of computer infrastructure 8 may specify functions to be performedby computer infrastructure 8 as one or more user intents that arehigh-level descriptions of end functionalities of the computerinfrastructure 8, users of computer infrastructure 8 may not havevisibility into all of the operations that computer infrastructure 8 mayperform in order to perform such one or more user intents.

Furthermore, certain resources and objects may be hierarchical, so thata role may be permitted to perform CRUD operations on a resource only ifthe role is also permitted to permit the same CRUD operations on adependent resources that is hierarchically related to the resource. Inaddition, the access control policies associated with roles may changeover time, such as based on changes to computer infrastructure 8 orbased on any other factors. As such, it may be impractical for users ofcomputer infrastructure 8 to manually create access control policies forroles that permit roles to perform some functions within computerinfrastructure 8 by manually setting the permitted operations on objectsand roles.

In accordance with aspects of the present disclosure, components ofcomputer infrastructure 8, such as network controller 24, may createaccess control policies that permit roles to access resources andperform operations on resources in computer infrastructure 8. Networkcontroller 24 may be able to create such access control policies forroles without an administrator having to manually configure the exactresources that roles are permitted to access and the exact operationsthat roles are permitted to perform on each of the resources. Instead, auser with elevated privileges, such as an administrator of computerinfrastructure 8 or of a particular domain, cluster, tenant, and thelike within computer infrastructure 8, may send a request to networkcontroller 24 to create an access control policy that permits a role toperform one or more functions in computer infrastructure 8.

Network controller 24 may determine one or more operations to beperformed on one or more resources in computer infrastructure 8 in orderto perform the one or more specified functions and may generate anaccess control policy for the role that permits the associated role toperform the one or more operations on the one or more resources. Networkcontroller 24 may therefore generate an access control policy for therole that specifies the one or more operations that the role ispermitted to perform on one or more resources in computer infrastructure8.

In the example of FIG. 1 , an administrator may request that an accesscontrol policy to be created for a role that permits the role to performone or more functions in computer infrastructure 8 by providing, tonetwork controller 24, indications of the one or more functions to beperformed by the role. The administrator may specify the one or more tobe performed by the role by calling functions of an applicationprogramming interface (API) provided by, for example, network controller24. For example, the administrator may provide user input at an userinterface device operably coupled to network controller 24 to specifyone or more functions to be performed by the role, or may create ascript that calls functions of the provided API that the role should bepermitted to call.

In some examples, the administrator may also specify a role associatedwith the access control policy. By specifying a role associated with theaccess control policy, the access control policy that is generated basedat least in part on the one or more functions specified by theadministrator may define the operations that users and/or applicationsassigned to the role are permitted to perform in computer infrastructure8.

In some examples, the administrator may also specify a scope of theaccess control policy that is to be created. The scope may indicate theportions of computer infrastructure 8 to which the access control policyapplies. In the examples where computer infrastructure 8 hosts and/orotherwise includes clusters, the administrator may specify whether therole is associated with a particular namespace, such that the accesscontrol policy for the role applies to a particular namespace, orwhether the role is associated with a particular cluster, such that theaccess control policy for the role applies to a particular clusterhosted and/or otherwise included in computer infrastructure 8.

Network controller 24 may, in response to receiving an indication of theone or more functions, execute the one or more functions. In someexamples, if the indication of the one or more functions include orotherwise specify one or more functions of the API provided by networkcontroller 24, network controller 24 may execute the one or more specifyfunctions of the API. Network controller 24 may act to control thecomponents of computer infrastructure 8, such as data centers 10,chassis switches 18, TOR switches 16, servers 12, container platforms(e.g., container platform 19), pods (e.g., pod 22), virtual routers(e.g., virtual router 21), container network interfaces (e.g., CNI 17),hypervisors, policies, applications, services, and the like in order toperform the functions of the API.

As network controller 24 executes the functions of the API, networkcontroller 24 may log the actions perform on objects and resources incomputer infrastructure 8 as a result of executing the functions tocreate a chronological record documenting the sequence of actions incomputer infrastructure 8. Network controller 24 may enable loggingprior to executing the functions. As network controller 24 executes thefunctions of the API calls, network controller 24 may log informationsuch as the resources operated upon to perform the API calls, theoperations (e.g., CRUD operations) performed on the resources, thetimestamp of each operation performed on the resources, the namespace ofthe resources operated upon, and the like. In some examples, networkcontroller 24 may log the information as events, where each event in theaudit log be associated with a resource that is operated upon, and mayinclude indications of the resource, one or more operations performed onthe resources, the timestamp of the one or more operations performed onthe resource, the namespace of the resource, and the like.

Network controller 24 may filter and/or parse the audit log to extract,from the audit log, information such as the resources operated upon toexecute the functions and the operations performed on the resources. Insome examples, network controller 24 may filter the audit log based ontimestamps associated with the events recorded in the audit log. Forexample, network controller 24 may determine the time at which networkcontroller 24 starts executing the functions and the time at whichnetwork controller 24 finishes executing the functions. As such, networkcontroller 24 may filter the audit log for events that are timestampedas having occurred between the time at which network controller 24starts executing the functions and the time at which network controller24 finishes executing the functions.

In some examples, network controller 24 may filter the audit log basedon namespaces associated with the events recorded in the audit log. Ifthe administrator specifies that the access control policy is applied toa particular namespace, network controller 24 may filter the audit logfor events that are associated with the particular namespace.

Network controller 24 may parse the audit log, including the audit logthat has been filtered, to extract information that network controller24 may use to generate the access control policy. Specifically, networkcontroller 24 may extract one or more resources recorded in the auditlog as being accessed and may extract, for each of the one or moreresources, one or more associated operations performed on the resource.Network controller 24 may therefore generate an access control policythat specifies, for each of the one or more resources recorded in theaudit log as being accessed, one or more associated operations recordedas being performed on the resource in the access log as the one or moreactions that can be performed on the resource.

FIG. 2 is a block diagram illustrating an example of a cloud-native SDNarchitecture for cloud native networking, in accordance with techniquesof this disclosure. SDN architecture 200 is illustrated in a manner thatabstracts underlying connectivity among the various components. In thisexample, network controller 24 of SDN architecture 200 includesconfiguration nodes 230A-230N (“configuration nodes” or “config nodes”and collectively, “configuration nodes 230”) and control nodes 232A-232K(collectively, “control nodes 232”). Configuration nodes 230 and controlnodes 232 may represent examples implementations of configuration nodes30 and control nodes 32 of FIG. 1 , respectively. Configuration nodes230 and control nodes 232, although illustrated as separate from servers12, may be executed as one or more workloads on servers 12.

Configuration nodes 230 offer northbound, REpresentation State Transfer(REST) interfaces to support intent-driven configuration of SDNarchitecture 200. Example platforms and applications that may be used topush intents to configuration nodes 230 include virtual machineorchestrator 240 (e.g., Openstack), container orchestrator 242 (e.g.,Kubernetes), user interface 244, or other one or more application(s)246. In some examples, SDN architecture 200 has Kubernetes as its baseplatform.

SDN architecture 200 is divided into a configuration plane, controlplane, and data plane, along with an optional telemetry (or analytics)plane. The configuration plane is implemented with horizontally scalableconfiguration nodes 230, the control plane is implemented withhorizontally scalable control nodes 232, and the data plane isimplemented with compute nodes. The optional telemetry plane may beimplemented with telemetry node(s) 260.

At a high level, configuration nodes 230 uses configuration store 224 tomanage the state of configuration resources of SDN architecture 200. Ingeneral, a configuration resource (or more simply “resource”) is a namedobject schema that includes data and/or methods that describe the customresource, and an application programming interface (API) is defined forcreating and manipulating the data through an API server. A kind is thename of an object schema. Configuration resources may include Kubernetesnative resources, such as Pod, Ingress, Configmap, Service, Role,Namespace, Node, Networkpolicy, or LoadBalancer. Configuration resourcesalso include custom resources, which are used to extend the Kubernetesplatform by defining an API that may not be available in a defaultinstallation of the Kubernetes platform. In the example of SDNarchitecture 200, custom resources may describe physical infrastructure,virtual infrastructure, configurations, and/or other resources of SDNarchitecture 200. As part of the configuration and operation SDNarchitecture 200, various custom resources may be instantiated.Instantiated resources (whether native or custom) may be referred to asobjects or as instances of the resource, which are persistent entitiesin SDN architecture 200 that represent an intent (desired state) and thestatus (actual state) of the SDN architecture 200. Configuration nodes230 provide an aggregated API for performing operations on (i.e.,creating, reading, updating, and deleting) configuration resources ofSDN architecture 200 in configuration store 224. Load balancer 226represents one or more load balancer objects that load balanceconfiguration requests among configuration nodes 230. Configurationstore 224 may represent one or more etcd databases. Configuration nodes230 may be implemented using Nginx.

SDN architecture 200 may provide networking for both Openstack andKubernetes. Openstack uses a plugin architecture to support networking.With virtual machine orchestrator 240 that is Openstack, the Openstacknetworking plugin driver converts Openstack configuration objects to SDNarchitecture 200 configuration objects (resources). Compute nodes runOpenstack nova to bring up virtual machines.

With container orchestrator 242 that is Kubernetes, SDN architecture 200functions as a Kubernetes CNI. As noted above, Kubernetes nativeresources (pod, services, ingress, external load balancer, etc.) may besupported, and SDN architecture 200 may support custom resources forKubernetes for advanced networking and security for SDN architecture200.

Configuration nodes 230 offer REST watch to control nodes 232 to watchfor configuration resource changes, which control nodes 232 effectwithin the computing infrastructure. Control nodes 232 receiveconfiguration resource data from configuration nodes 230, by watchingresources, and build a full configuration graph. A given one of controlnodes 232 consumes configuration resource data relevant for the controlnodes and distributes required configurations to the compute nodes(servers 12) via control interfaces 254 to the control plane aspect ofvirtual router 21 (i.e., the virtual router agent—not shown in FIG. 1 ).Any of the compute nodes may receive only a partial graph, as isrequired for processing. Control interfaces 254 may be XMPP. The numberof configuration nodes 230 and control nodes 232 that are deployed maybe a function of the number of clusters supported. To support highavailability, the configuration plane may include 2N+1 configurationnodes 230 and 2N control nodes 232.

Control nodes 232 distributes routes among the compute nodes. Controlnode 232 uses internal Border Gateway Protocol (iBGP) to exchange routesamong control nodes 232, and control nodes 232 may peer with anyexternal BGP supported gateways or other routers. Control nodes 232 mayuse a route reflector.

Pods 250 and virtual machines 252 are examples of workloads that may bedeployed to the compute nodes by virtual machine orchestrator 240 orcontainer orchestrator 242 and interconnected by SDN architecture 200using one or more virtual networks.

In accordance with aspects of the present disclosure, network controller24 may create access control policies that permit roles to accessresources and perform operations on resources of configurationarchitecture 200. As described above, the resources may includeconfiguration resources such as Kubernetes native resources (e.g., Pod,Ingress, Configmap, Service, Role, Namespace, Node, Networkpolicy, orLoadBalancer). Configuration resources also include custom resourcesthat describe physical infrastructure, virtual infrastructure,configurations, and/or other resources of SDN architecture 200. In someexamples, the resources may also include any other resources of SDNarchitecture 200.

An administrator may request that an access control policy to be createdfor a role that permits the role to perform one or more functions innetwork controller 24 by providing, to network controller 24 via userinterface 244 and/or application(s) 246, indications of the one or morefunctions that the role is permitted to perform. For example, theadministrator may provide user input at an user interface deviceoperably coupled to network controller 24 to specify one or more actionsthat a role is permitted to perform.

The administrator may send, to configuration nodes, such as via userinterface 244, a request to generate an access policy for a role thatspecifies the one or more actions that a role is permitted to perform byspecifying functions of the aggregated API provided by configurationnodes 230 to perform operations (e.g., creating, reading, updating, anddeleting) on resources of SDN architecture 200. For example, theadministrator may interact with configuration nodes 230 via userinterface 244 to call functions of the aggregated API that the roleshould be permitted to execute. In another example, the administratormay create and communicate to configuration nodes 230 a script thatcalls functions of the aggregated API that the role should be permittedto execute. In this way, the administrator may specify the one or morefunctions that the role is permitted to perform.

The administrator may also specify a role associated with the accesscontrol policy. In the example where network controller 24 is part of oris associated with a Kubernetes cluster, the administrator may specifythe role associated with the access control policy to be a ClusterRolerole or a role associated with a particular namespace. If theadministrator specifies the role to be a ClusterRole role, the accesscontrol policy for the role may apply to the Kubernetes cluster thatnetwork controller 24 is part of or with which network controller 24 isassociated. If the administrator specifies the role to be a roleassociated with a particular namespace, the role associated with theaccess control policy may apply to the particular namespace within theKubernetes cluster.

Configuration nodes 230 of network controller 24 may receive the requestand may execute the one or more specified functions of the aggregatedAPI. As described above, in some examples, the aggregated API may becalled to perform operations on resource of SDN architecture 200, suchas Kubernetes native resources (e.g., Pod, Ingress, Configmap, Service,Role, Namespace, Node, Networkpolicy, or LoadBalanceras) well as customresources that describe physical infrastructure, virtual infrastructure,configurations, and/or other resources of SDN architecture 200.

As configuration nodes 230 execute the functions of the aggregated API,configuration nodes 230 may also perform operations (e.g., CRUDoperations) on one or more resources that are not explicitly specifiedby calling the function of the aggregated API. As resources may behierarchical, a resource may be dependent upon one or more othersub-resources. While a function of the aggregated API may indicate anoperation to perform on a resource, the function may not necessarilyindicate one or more sub-resources upon which the indicated resourcedepends. As such, in order to perform one or more operations on aresource specified by a function of the aggregated API, configurationnodes 230 may determine, based on the resource indicated by thefunction, one or more sub-resources upon which the resource depends, andmay perform one or more operations on each of the one or moresub-resources, which may be any of the resources described throughoutthis disclosure, in order to successfully execute the specifiedfunction.

As configuration nodes 230 performs the one or more functions, networkcontroller 24 may use telemetry node(s) 260 to log the actions performedon resources within SDN architecture 200 as a result of performing theone or more functions of the aggregated API specified by theadministrator to create a chronological record of the actions performedon resources. Configuration nodes 230 may enable logging and/or auditingof operations performed on resources by using an audit policy file thatenables telemetry node(s) 260 to start logging. An example of a portionof an audit policy file is as follows:

apiVersion: audit.k8s.io/v1kind: Policyrules:

-   -   level: Request        resources:net    -   group: “core.contrailjuniper.”

As configuration nodes 230 performs the functions of the API calls,telemetry node(s) 260 may log information such as the resources operatedupon to perform the functions of the API calls, the operations (e.g.,CRUD operations) performed on the resources, the timestamp of eachoperation performed on the resources, the namespace of the resourcesoperated upon, and the like. In some examples, telemetry node(s) 260 maylog the information as events, where each event in the audit log beassociated with a resource that is operated upon, and may includeindications of the resource, one or more operations performed on theresources, the timestamp of the one or more operations performed on theresource, the namespace of the resource, and the like. An example of aportion of an audit log is as follows:

{″kind″:″Event″,  ″apiVersion″: ″audit.k8s.io/v1″,  ″level″:″Request″, ″auditID″: ″61005be0-02cb-4286-acb6-ade45f99ecc3″ ″stage″:″RequestReceived″, ″requestURI″:″/apis/core.contrail.juniper.net/v1alpha1/virtualnetworks?watch=1\u0026resourceVersion=5086″,  ″verb″: ″watch″, ″user″:{″username″: ″system:serviceaccount:contrail:contrail- serviceaccount″, ″uid″:″cd07eeal-e18a-48cf-a4e6-4f3800479eab″,″groups″: [″system:serviceaccounts″,″ system: serviceaccounts: contrail″,″system: authenticated″]},  ″sourceIPs″:[″ 10.88.0.1″],  ″userAgent″:″restclient-cpp/0.5.2″, ″objectRef″:{″resource″:″virtualnetworks″,″apiGroup″:″core.contrail.-juniper.net″,″apiVersion″:″v1alpha1″}, ″requestReceivedTimestamp″:″2021-09-13T18:36:53.761497Z″, ″stageTimestamp″:″2021-09-13T18:36:5 3.761497Z″, ″annotations″:{″authentication.k8s.io/legacy-token″:″system:serviceaccount:contrail:contrail-serviceaccount″}}

As can be seen in this example, telemetry node(s) 260 may record, for anevent, information such as the resource (e.g., “virtualnetworks”), theoperation(s) performed on the resource (e.g., “watch”), a timestamp ofthe event, as well as other information. As shown in the example,operations on resources are referred to as Kubernetes verbs, such asget, list, watch, update, create, and patch.

Configuration nodes 230 may filter and/or parse the audit log toextract, from the audit log, information such as the resources (e.g.,kinds) operated upon to perform the API calls and the operations (e.g.,verbs) performed on the resources. In some examples, configuration nodes230 may filter the audit log based on timestamps associated with theevents recorded in the audit log. For example, configuration nodes 230may determine the time at which configuration nodes 230 startsperforming the functions of the API calls and the time at whichconfiguration nodes 230 finishes performing the functions of the APIcalls. As such, configuration nodes 230 may filter the audit log forevents that are timestamped as having occurred between the time at whichconfiguration nodes 230 starts performing the functions of the API callsand the time at which configuration nodes 230 finishes performing thefunctions of the API calls.

In some examples, configuration nodes 230 may filter the audit log basedon namespaces associated with the events recorded in the audit log. Insome examples, if the administrator specifies that the access controlpolicy is applied to a particular namespace of a cluster, configurationnodes 230 may filter the audit log for events that are associated withthe particular namespace, such as based on the namespace associated witheach of the events recorded in the audit log.

Configuration nodes 230 may parse the audit log, including the audit logthat has been filtered, to extract information that network controller24 may use to generate the access control policy. Specifically,configuration nodes 230 may extract one or more resources recorded inthe audit log as being accessed and may extract, for each of the one ormore resources, one or more actions performed on the resource. Forexample, configuration nodes 230 may extract resources and operations as[‘kind’, ‘verb’] pairs, where kind refers to. An example of suchextracted resources and operations is as follows:

{  ″globalsystemconfigs″: [ ″watch″, ″update″ ],  ″routetargets″: [″create″, ″get″, ″watch″ ],  ″routinginstances″: [ ″create″, ″patch″,″list″, ″update″, ″watch″ ]  ″subnets″: [ ″get″, ″watch″ ], ″virtualmachineinterfaces″: [ ″watch″, ″list″, ″update″ ], ″virtualnetworks″: [ ″create″, ″patch″, ″update″, ″watch″ ], }

As shown in the above example, configuration nodes 230 may extract a“globalsystemconfigs” resource with “watch” and “update” operationshaving been performed on the resource, a “routetargets” resource with“create”, “get”, and “watch” operations having been performed on theresource, a “routinginstances” resource with “create”, “patch”, “list”,“update”, and “watch” operations having been performed on the resource,a “subnets” resource with “get” and “watch” operations having beenperformed on the resource, a “virtualmachineinterfaces” resource with“watch”, “list”, and “update” operations having been performed on theresource, and a “virtualnetworks” resource with “create”, “patch”,“update”, and “watch” operations having been performed on the resource.

Configuration nodes 230 may therefore generate an access control policythat specifies, for each of the one or more resources recorded in theaudit log as being accessed, one or more associated operations recordedas being performed on the resource in the access log as the one or moreoperations that the policy allows to be performed on the resource. Anexample of such an access control policy is as follows:

kubectl describe ClusterRole dev

Name: dev

Labels: <none>Annotations: <none>

PolicyRule: Resources Non-Resource URLs Resource Names Verbs

--------- ----------------- -------------- -----routetargets.core.contrail.juniper.net [ ] [ ] [create]routinginstances.core.contrail.juniper.net [ ] [ ] [create]virtualnetworks.core.contrail.juniper.net [ ] [ ] [create]subnets.core.contrail.juniper.net [ ] [ ] [get]

In the above example, the access control policy for a ClusterRole rolenamed “dev” enables the role to create routetarget resources, createroutinginstance resources, create virtualnetwork resources, and getsubnets resources.

Network controller 24 may use the generated access control policies toensure that users and services with associated roles are not able toaccess resources in ways that violate access control policies associatedwith the roles. For example, if a user has a “dev” role that isassociated with the above-detailed example access control policy, and ifthe user calls a function in the API to perform an operation on the“subnets” resource, network controller 24 may determine whether theoperation on the resource is allowed or whether the operation on theresource would violate the access policy for the “dev” role. Forexample, because the above-detailed example access control policy limitsthe “dev” role to performing the “get” operation on the “subnets”resource, if the user calls a function in the API to perform a “create”operation on a “subnets” resource, network controller 24 may disallowthe “create” operation on the “subnets” resource. In this way, networkcontroller 24 may use the generated access control policies toconstantly monitor for possible access control policy violations bycomparing functions called by users with the access control policies forroles of such users.

In some examples, an administrator may update an access control policyfor a role using the techniques described above. For example, anadministrator may update an access control policy for a role to permitthe role to perform one or more additional functions in networkcontroller 24 by specifying, to configuration nodes 230, one or moreadditional functions of the aggregated API. Configuration nodes 230 mayexecute the one or more additional functions specified by theadministrator and may log the execution of the one or more additionalfunctions in the audit log. Configuration nodes 230 may filter and/orparse the audit log to extract, from the audit log, information such asthe resources operated upon to perform the additional functions and theoperations performed on the resources. Configuration nodes 230 maytherefore update the access control policy for the role to include, foreach of the one or more resources recorded in the audit log as beingaccessed, one or more associated operations recorded as being performedon the resource in the access log as the one or more operations that thepolicy allows to be performed on the resource.

In some examples, network controller 24 may determine whether thegenerated access control policies violate configured access controlpolicies in network controller 24. That is, network controller 24 mayvalidate a generated access control policy for a role by comparing theaccess control policy for the role to a configured access control policyfor the role, which may be stored in one or more configuration stores.For example, if network controller 24 determines that a generated accesscontrol policy for a role permits the role to perform an operation on aresource that is not permitted by the configured access control policyfor the role, network controller 24 may determine that the generatedaccess control policy is invalid. In another example, if networkcontroller 24 determines that a generated access control policy for arole permits the role to perform an operation on a resource that is notpermitted by the configured access control policy for the role, networkcontroller 24 may update the configured access control policy for therole to permit the role to perform the operation on the resource aspermitted by the generated access control policy.

In some examples, network controller 24 may provide visualizations ofaccess control policies by outputting graphical representations ofaccess control policies for display at, for example, user interface 244.Providing such visualizations of access control policies may enableusers (e.g., administrators) to view the details of access controlpolicies to determine whether access control policies for roles havebeen properly generated by network controller 24.

FIG. 3 is a block diagram illustrating another view of components of SDNarchitecture 200 and in further detail, in accordance with techniques ofthis disclosure. Configuration nodes 230, control nodes, 232, and userinterface 244 are illustrated with their respective componentmicroservices for implementing network controller 24 and SDNarchitecture 200 as a cloud-native SDN architecture. Each of thecomponent microservices may be deployed to compute nodes.

FIG. 3 illustrates a single cluster divided into network controller 24,user interface 244, compute (servers 12), and telemetry 260 features.Configuration nodes 230 and control nodes 230 together form networkcontroller 24.

Configuration nodes 230 may include component microservices API server300 (or “Kubernetes API server 300”—corresponding controller 406 notshown in FIG. 3 ), custom API server 301, custom resource controller302, SDN controller manager 303 (sometimes termed “kube-manager” or “SDNkube-manager” where the orchestration platform for network controller 24is Kubernetes), and access control manager 305. Contrail-kube-manager isan example of SDN controller manager 303. Configuration nodes 230 extendthe API server 300 interface with a custom API server 301 to form anaggregation layer to support a data model for SDN architecture 200. SDNarchitecture 200 configuration intents may be custom resources, asdescribed above.

Control nodes 232 may include component microservices control 320 andcoreDNS 322. Control 320 performs configuration distribution and routelearning and distribution, as described above with respect to FIG. 2 .

Compute nodes are represented by servers 12. Each compute node includesa virtual router agent 316 and virtual router forwarding component(vRouter) 318. Either or both of virtual router agent 316 and vRouter318 may be component microservices. In general, virtual router agent 316performs control related functions. Virtual router agent 316 receivesconfiguration data from control nodes 232 and converts the configurationdata to forwarding information for vRouter 318. Virtual router agent 316may also performs firewall rule processing, set up flows for vRouter318, and interface with orchestration plugins (CNI for Kubernetes andNova plugin for Openstack). Virtual router agent 316 generates routes asworkloads (Pods or VMs) are brought up on the compute node, and virtualrouter 318 exchanges such routes with control nodes 232 for distributionto other compute nodes (control nodes 232 distribute the routes amongcontrol nodes 232 using BGP). Virtual router agent 316 also withdrawsroutes as workloads are terminated. vRouter 318 may support one or moreforwarding modes, such as kernel mode, DPDK, SmartNIC offload, and soforth. In some examples of container architectures or virtual machineworkloads, compute nodes may be either Kubernetes worker/minion nodes orOpenstack nova-compute nodes, depending on the particular orchestratorin use.

One or more optional telemetry node(s) 260 provide metrics, alarms,logging, and flow analysis. SDN architecture 200 telemetry leveragescloud native monitoring services, such as Prometheus, Elastic, Fluentd,Kinaba stack (EFK) and Influx TSDB. The SDN architecture componentmicroservices of configuration nodes 230, control nodes 232, computenodes, user interface 244, and analytics nodes (not shown) may producetelemetry data. This telemetry data may be consumed by services oftelemetry node(s) 260. Telemetry node(s) 260 may expose REST endpointsfor users and may support insights and event correlation.

Optional user interface 244 includes web user interface (UI) 306 and UIbackend 308 services. In general, user interface 244 providesconfiguration, monitoring, visualization, security, and troubleshootingfor the SDN architecture components.

Each of telemetry node(s) 260, user interface 244, configuration nodes230, control nodes 232, and servers 12/compute nodes may be consideredSDN architecture 200 nodes, in that each of these nodes is an entity toimplement functionality of the configuration, control, or data planes,or of the UI and telemetry nodes. Node scale is configured during “bringup,” and SDN architecture 200 supports automatic scaling of SDNarchitecture 200 nodes using orchestration system operators, such asKubernetes operators.

In accordance with aspects of the present disclosure, access controlmanager 305 is configured to generate access control policies for rolesto perform one or more functions in network controller 24. Anadministrator may request that an access control policy to be createdfor a role that permits the role to perform one or more functions innetwork controller 24 by providing, to network controller 24 via web UI306 or backend 308, indications of the one or more functions that therole is permitted to perform. The administrator may send, toconfiguration nodes 230 via web UI 306 or backend 308, a request togenerate an access policy for a role that specifies the one or moreactions that a role is permitted to perform by specifying functions ofthe aggregated API provided by API server 300 and/or custom API server301 to perform CRUD operations on resources of SDN architecture 200.

API server 300 and/or API server 301 may receive the request andconfiguration nodes 230 may execute the one or more specified functionsof the aggregated API. As configuration nodes 230 performs the one ormore functions, access control manager 305 may use telemetry node(s) 260to log the actions performed on resources within SDN architecture 200 asa result of performing the one or more functions of the aggregated APIspecified by the administrator to create a chronological record of theactions performed on resources. Access control manager 305 may enablelogging and/or auditing of operations performed on resources by using anaudit policy file that enables telemetry node(s) 260 to start logging.

As configuration nodes 230 performs the functions of the aggregated API,telemetry node(s) 260 may log information such as the resources operatedupon to perform the functions of the API calls, the operations (e.g.,CRUD operations) performed on the resources, the timestamp of eachoperation performed on the resources, the namespace of the resourcesoperated upon, and the like. In some examples, telemetry node(s) 260 maylog the information as events, where each event in the audit log beassociated with a resource that is operated upon, and may includeindications of the resource, one or more operations performed on theresources, the timestamp of the one or more operations performed on theresource, the namespace of the resource, and the like.

Access control manager 305 may filter and/or parse the audit log toextract, from the audit log, information such as the resources operatedupon to perform the API calls and the operations (e.g., verbs) performedon the resources. In some examples, access control manager 305 mayfilter the audit log based on timestamps associated with the eventsrecorded in the audit log. In some examples, configuration nodes 230 mayfilter the audit log based on namespaces associated with the eventsrecorded in the audit log. If the administrator specifies that theaccess control policy is applied to a particular namespace of a cluster,configuration nodes 230 may filter the audit log for events that areassociated with the particular namespace.

Configuration nodes 230 may parse the audit log, including the audit logthat has been filtered, to extract information that access controlmanager 305 may use to generate the access control policy. Specifically,access control manager 305 may extract one or more resources recorded inthe audit log as being accessed and may extract, for each of the one ormore resources, an associated one or more operations performed on theresource, thereby associating each resource with one or more operations.For example, access control manager 305 may extract resources andoperations as [‘kind’, ‘verb’] pairs. An example of such extractedresources and operations is as follows:

Access control manager 305 may therefore generate an access controlpolicy that specifies, for each of the one or more resources recorded inthe audit log as being accessed, one or more actions recorded as beingperformed on the resource in the access log as the one or more actionsthat can be performed on the resource. Network controller 24 may use thegenerated access control policies to ensure that users and services withassociated roles are not able to access resources in ways that violateaccess control policies associated with the roles.

In some examples, an administrator may update an access control policyfor a role using the techniques described above. For example, anadministrator may update an access control policy for a role to permitthe role to perform one or more additional functions in networkcontroller 24 by specifying, to configuration nodes 230, one or moreadditional functions of the aggregated API. Configuration nodes 230 mayexecute the one or more additional functions specified by theadministrator and may log the execution of the one or more additionalfunctions in the audit log. Access control manager 305 may filter and/orparse the audit log to extract, from the audit log, information such asthe resources operated upon to perform the additional functions and theoperations performed on the resources. Access control manager 305 maytherefore update the access control policy for the role to include, foreach of the one or more resources recorded in the audit log as beingaccessed, one or more associated operations recorded as being performedon the resource in the access log as the one or more operations that thepolicy allows to be performed on the resource.

In some examples, access control manager 305 may determine whether thegenerated access control policies violate configured access controlpolicies in network controller 24. That is, access control manager 305may validate a generated access control policy for a role by comparingthe access control policy for the role to a configured access controlpolicy for the role, which may be stored in one or more configurationstores. For example, if access control manager 305 determines that agenerated access control policy for a role permits the role to performan operation on a resource that is not permitted by the configuredaccess control policy for the role, access control manager 305 maydetermine that the generated access control policy is invalid. Inanother example, if access control manager 305 determines that agenerated access control policy for a role permits the role to performan operation on a resource that is not permitted by the configuredaccess control policy for the role, access control manager 305 mayupdate the configured access control policy for the role to permit therole to perform the operation on the resource as permitted by thegenerated access control policy.

FIG. 4 is a block diagram illustrating example components of an SDNarchitecture, in accordance with techniques of this disclosure. In thisexample, SDN architecture 400 extends and uses Kubernetes API server fornetwork configuration objects that realize user intents for the networkconfiguration. Such configuration objects, in Kubernetes terminology,are referred to as custom resources and when persisted in SDNarchitecture are referred to simply as objects. Configuration objectsare mainly user intents (e.g., Virtual Networks, BGPaaS, Network Policy,Service Chaining, etc.).

SDN architecture 400 configuration nodes 230 may uses Kubernetes APIserver for configuration objects. In kubernetes terminology, these arecalled custom resources.

Kubernetes provides two ways to add custom resources to a cluster:

-   -   Custom Resource Definitions (CRDs) are simple and can be created        without any programing.    -   API Aggregation requires programming but allows more control        over API behaviors, such as how data is stored and conversion        between API versions.

Aggregated APIs are subordinate API servers that sit behind the primaryAPI server, which acts as a proxy. This arrangement is called APIAggregation (AA). To users, it simply appears that the Kubernetes API isextended. CRDs allow users to create new types of resources withoutadding another API server. Regardless of how they are installed, the newresources are referred to as Custom Resources (CR) to distinguish themfrom native Kubernetes resources (e.g., Pods). CRDs were used in theinitial Config prototypes. The architecture may use the API ServerBuilder Alpha library to implement an aggregated API. API Server Builderis a collection of libraries and tools to build native Kubernetesaggregation extensions.

Usually, each resource in the Kubernetes API requires code that handlesREST requests and manages persistent storage of objects. The mainKubernetes API server 300 (implemented with API server microservices300A-300J) handles native resources and can also generically handlecustom resources through CRDs. Aggregated API 402 represents anaggregation layer that extends the Kubernetes API server 300 to allowfor provide specialized implementations for custom resources by writingand deploying custom API server 301 (using custom API servermicroservices 301A-301M). The main API server 300 delegates requests forthe custom resources to custom API server 301, thereby making suchresources available to all of its clients.

In this way, API server 300 (e.g., kube-apiserver) receives theKubernetes configuration objects, native objects (pods, services) andcustom resources defined in accordance with techniques of thisdisclosure. Custom resources for SDN architecture 400 may includeconfiguration objects that, when an intended state of the configurationobject in SDN architecture 400 is realized, implements an intendednetwork configuration of SDN architecture 400. Custom resources maycorrespond to configuration schemas traditionally, defined for networkconfiguration but that, according to techniques of this disclosure, areextended to be manipulable through aggregated API 402. Such customresources may be alternately termed and referred to herein as “customresources for SDN architecture configuration.” These may include virtualnetwork, bgp-as-a-service (BGPaaS), subnet, virtual router, serviceinstance, project, physical interface, logical interface, node, networkipam, floating ip, alarm, alias ip, access control list, firewallpolicy, firewall rule, network policy, route target, routing instance.Custom resources for SDN architecture configuration may correspond toconfiguration objects conventionally exposed by an SDN controller, butin accordance with techniques described herein, the configurationobjects are exposed as custom resources and consolidated along withKubernetes native built-in resources to support a unified intent model,exposed by aggregated API 402, that is realized by Kubernetescontrollers 406A-406N and by custom resource controller 302 (shown inFIG. 4 with component microservices 302A-302L) that works to reconcilethe actual state of the computing infrastructure including networkelements with the intended state.

API server 300 aggregation layer sends API custom resources to theircorresponding, registered custom API server 300. There may be multiplecustom API servers/custom resource controllers to support differentkinds of custom resources. Custom API server 300 handles customresources for SDN architecture configuration and writes to configurationstore(s) 304, which may be etcd. Custom API server 300 may be host andexpose an SDN controller identifier allocation service that may berequired by custom resource controller 302

Custom resource controller(s) 302 start to apply business logic to reachthe user's intention provided with user intents configuration. Thebusiness logic is implemented as a reconciliation loop. FIG. 8 is ablock diagram illustrating an example of a custom controller for customresource(s) for SDN architecture configuration, according to techniquesof this disclosure. Customer controller 814 may represent an exampleinstance of custom resource controller 301. In the example illustratedin FIG. 8 , custom controller 814 can be associated with custom resource818. Custom resource 818 can be any custom resource for SDN architectureconfiguration. Custom controller 814 can include reconciler 816 thatincludes logic to execute a reconciliation loop in which customcontroller 814 observes 834 (e.g., monitors) a current state 832 ofcustom resource 818. In response to determining that a desired state 836does not match a current state 832, reconciler 816 can perform actionsto adjust 838 the state of the custom resource such that the currentstate 832 matches the desired state 836. A request may be received byAPI server 300 and relayed to custom API server 301 to change thecurrent state 832 of custom resource 818 to desired state 836.

In the case that API request 301 is a create request for a customresource, reconciler 816 can act on the create event for the instancedata for the custom resource. Reconciler 816 may create instance datafor custom resources that the requested custom resource depends on. Asan example, an edge node custom resource may depend on a virtual networkcustom resource, a virtual interface custom resource, and an IP addresscustom resource. In this example, when reconciler 816 receives a createevent on an edge node custom resource, reconciler 816 can also createthe custom resources that the edge node custom resource depends upon,e.g., a virtual network custom resource, a virtual interface customresource, and an IP address custom resource.

By default, custom resource controllers 302 are running anactive-passive mode and consistency is achieved using master election.When a controller pod starts it tries to create a ConfigMap resource inKubernetes using a specified key. If creation succeeds, that pod becomesmaster and starts processing reconciliation requests; otherwise itblocks trying to create ConfigMap in an endless loop.

Custom resource controller 300 may tracks the status of custom resourcesit creates. For example, a Virtual Network (VN) creates a RoutingInstance (RI) which creates a Route Target (RT). If the creation of aroute target fails, the routing instance status is degraded, and becauseof this the virtual network status is also degraded. Custom resourcecontroller 300 may therefore output a custom message indicating thestatus(es) of these custom resources, for troubleshooting. An exampleflow of creation, watch, and reconciliation among custom resource typesthat have dependencies on different custom resource types is illustratedin FIG. 9 .

The configuration plane as implemented by configuration nodes 230 havehigh availability. Configuration nodes 230 may be based on Kubernetes,including the kube-apiserver service (e.g., API server 300) and thestorage backend etcd (e.g., configuration store(s) 304). Effectively,aggregated API 402 implemented by configuration nodes 230 operates asthe front end for the control plane implemented by control nodes 232.The main implementation of API server 300 is kube-apiserver, which isdesigned to scale horizontally by deploying more instances. As shown,several instances of API server 300 can be run to load balance APIrequests and processing.

Configuration store(s) 304 may be implemented as etcd. Etcd is aconsistent and highly-available key value store used as the Kubernetesbacking store for cluster data.

In the example of FIG. 4 , servers 12 of SIM architecture 400 eachinclude an orchestration agent 420 and a containerized (or“cloud-native”) routing protocol daemon (cRPD) 324, These components ofSDN architecture 400 are described in further detail below.

SDN controller manager 303 may operate as an interface betweenKubernetes core resources (Service, Namespace, Pod, Network Policy,Network Attachment Definition) and the extended SDN architectureresources (VirtualNetwork, RoutingInstance etc.). SDN controller manager303 watches the Kubernetes API for changes on both Kubernetes core andthe custom resources for SDN architecture configuration and, as aresult, can perform CRUD operations on the relevant resources.

In some examples, SDN controller manager 303 is a collection of one ormore k8s custom controllers. In some examples, in single ormulti-cluster deployments, SDN controller manager 303 may run on theKubernetes cluster(s) it manages

SDN controller manager 303 listens to the following Kubernetes objectsfor Create, Delete, and Update events:

-   -   Pod    -   Service    -   NodePort    -   Ingress    -   Endpoint    -   Namespace    -   Deployment    -   Network Policy

When these events are generated, SDN controller manager 303 createsappropriate SDN architecture objects, which are in turn defined ascustom resources for SDN architecture configuration. In response todetecting an event on an instance of a custom resource, whetherinstantiated by SDN controller manager 303 and/or through custom APIserver 301, control node 232 obtains configuration data for the instancefor the custom resource and configures a corresponding instance of aconfiguration object in SDN architecture 400.

For example, SDN controller manager 303 watches for the Pod creationevent and, in response, may create the following SDN architectureobjects: VirtualMachine (a workload/pod), VirtualMachineInterface (avirtual network interface), and an InstanceIP (IP address). Controlnodes 232 may then instantiate the SDN architecture objects, in thiscase, in a selected compute node.

In accordance with aspects of the present disclosure, an administratormay request that an access control policy to be created for a role thatpermits the role to perform one or more functions in SDN architecture byproviding indications of the one or more functions that the role ispermitted to perform. The administrator may send, to configuration nodes230, a request to generate an access policy for a role that specifiesthe one or more actions that a role is permitted to perform byspecifying functions of the aggregated API 402 provided by API server300 and/or custom API server 301 to perform CRUD operations on resourcesof SDN architecture 200.

API server 300 and/or API server 301 may receive the request andconfiguration nodes 230 may execute the one or more specified functionsof the aggregated API. As configuration nodes 230 performs the one ormore functions, configuration nodes 230 may log the actions performed onresources within SDN architecture 400 as a result of performing the oneor more functions of the aggregated API specified by the administratorto create a chronological record of the actions performed on resources.Configuration nodes 230 may enable logging and/or auditing of operationsperformed on resources by using an audit policy file that enablestelemetry node(s) to start logging.

As configuration nodes 230 performs the functions of the aggregated API,the telemetry node(s) may log information such as the resources operatedupon to perform the functions of the API calls, the operations (e.g.,CRUD operations) performed on the resources, the timestamp of eachoperation performed on the resources, the namespace of the resourcesoperated upon, and the like. In some examples, the telemetry node(s) maylog the information as events, where each event in the audit log beassociated with a resource that is operated upon, and may includeindications of the resource, one or more operations performed on theresources, the timestamp of the one or more operations performed on theresource, the namespace of the resource, and the like.

Configuration nodes 230 may filter and/or parse the audit log toextract, from the audit log, information such as the resources operatedupon to perform the API calls and the operations (e.g., verbs) performedon the resources. In some examples, configuration nodes 230 may filterthe audit log based on timestamps associated with the events recorded inthe audit log. In some examples, configuration nodes 230 may filter theaudit log based on namespaces associated with the events recorded in theaudit log. If the administrator specifies that the access control policyis applied to a particular namespace of a cluster, configuration nodes230 may filter the audit log for events that are associated with theparticular namespace.

Configuration nodes 230 may parse the audit log, including the audit logthat has been filtered, to extract information that is used to generatethe access control policy. Specifically, configuration nodes 230 mayextract one or more resources recorded in the audit log as beingaccessed and may extract, for each of the one or more resources, anassociated one or more operations performed on the resource, therebyassociating each resource with one or more operations. For example,configuration nodes 230 may extract resources and operations as [‘kind’,‘verb’] pairs. An example of such extracted resources and operations isas follows:

Configuration nodes 230 may therefore generate an access control policythat specifies, for each of the one or more resources recorded in theaudit log as being accessed, one or more actions recorded as beingperformed on the resource in the access log as the one or more actionsthat can be performed on the resource. Configuration nodes 230 may usethe generated access control policies to ensure that users and serviceswith associated roles are not able to access resources in ways thatviolate access control policies associated with the roles.

In some examples, configuration nodes may determine whether thegenerated access control policies violate configured access controlpolicies in configuration nodes. That is, configuration nodes 230 mayvalidate a generated access control policy for a role by comparing theaccess control policy for the role to a configured access control policyfor the role, which may be stored in one or more configuration stores304. For example, if configuration nodes 230 determines that a generatedaccess control policy for a role permits the role to perform anoperation on a resource that is not permitted by the configured accesscontrol policy for the role, configuration nodes 230 may determine thatthe generated access control policy is invalid. In another example, ifconfiguration nodes 230 determines that a generated access controlpolicy for a role permits the role to perform an operation on a resourcethat is not permitted by the configured access control policy for therole, configuration nodes 230 may update the configured access controlpolicy for the role to permit the role to perform the operation on theresource as permitted by the generated access control policy.

FIG. 5 is a block diagram of an example computing device, according totechniques described in this disclosure. Computing device 500 of FIG. 2may represent a real or virtual server and may represent an exampleinstance of any of servers 12 and may be referred to as a compute node,master/minion node, or host. Computing device 500 includes in thisexample, a bus 542 coupling hardware components of a computing device500 hardware environment. Bus 542 couples network interface card (NIC)530, storage disk 546, and one or more microprocessors 210 (hereinafter,“microprocessor 510”). NIC 530 may be SR-IOV-capable. A front-side busmay in some cases couple microprocessor 510 and memory device 524. Insome examples, bus 542 may couple memory device 524, microprocessor 510,and NIC 530. Bus 542 may represent a Peripheral Component Interface(PCI) express (PCIe) bus. In some examples, a direct memory access (DMA)controller may control DMA transfers among components coupled to bus542. In some examples, components coupled to bus 542 control DMAtransfers among components coupled to bus 542.

Microprocessor 510 may include one or more processors each including anindependent execution unit to perform instructions that conform to aninstruction set architecture, the instructions stored to storage media.Execution units may be implemented as separate integrated circuits (ICs)or may be combined within one or more multi-core processors (or“many-core” processors) that are each implemented using a single IC(i.e., a chip multiprocessor).

Disk 546 represents computer readable storage media that includesvolatile and/or non-volatile, removable and/or non-removable mediaimplemented in any method or technology for storage of information suchas processor-readable instructions, data structures, program modules, orother data. Computer readable storage media includes, but is not limitedto, random access memory (RAM), read-only memory (ROM), EEPROM, Flashmemory, CD-ROM, digital versatile discs (DVD) or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium that can be used to storethe desired information and that can be accessed by microprocessor 510.

Main memory 524 includes one or more computer-readable storage media,which may include random-access memory (RAM) such as various forms ofdynamic RAM (DRAM), e.g., DDR2/DDR3 SDRAM, or static RAM (SRAM), flashmemory, or any other form of fixed or removable storage medium that canbe used to carry or store desired program code and program data in theform of instructions or data structures and that can be accessed by acomputer. Main memory 524 provides a physical address space composed ofaddressable memory locations.

Network interface card (NIC) 530 includes one or more interfaces 532configured to exchange packets using links of an underlying physicalnetwork. Interfaces 532 may include a port interface card having one ormore network ports. NIC 530 may also include an on-card memory to, e.g.,store packet data. Direct memory access transfers between the NIC 530and other devices coupled to bus 542 may read/write from/to the NICmemory.

Memory 524, NIC 530, storage disk 546, and microprocessor 510 mayprovide an operating environment for a software stack that includes anoperating system kernel 580 executing in kernel space. Kernel 580 mayrepresent, for example, a Linux, Berkeley Software Distribution (BSD),another Unix-variant kernel, or a Windows server operating systemkernel, available from Microsoft Corp. In some instances, the operatingsystem may execute a hypervisor and one or more virtual machines managedby hypervisor. Example hypervisors include Kernel-based Virtual Machine(KVM) for the Linux kernel, Xen, ESXi available from VMware, WindowsHyper-V available from Microsoft, and other open-source and proprietaryhypervisors. The term hypervisor can encompass a virtual machine manager(VMM). An operating system that includes kernel 580 provides anexecution environment for one or more processes in user space 545.

Kernel 580 includes a physical driver 525 to use the network interfacecard 530. Network interface card 530 may also implement SR-IOV to enablesharing the physical network function (I/O) among one or more virtualexecution elements, such as containers 529A or one or more virtualmachines (not shown in FIG. 5 ). Shared virtual devices such as virtualfunctions may provide dedicated resources such that each of the virtualexecution elements may access dedicated resources of NIC 530, whichtherefore appears to each of the virtual execution elements as adedicated NIC. Virtual functions may represent lightweight PCIefunctions that share physical resources with a physical function used byphysical driver 525 and with other virtual functions. For anSR-IOV-capable NIC 530, NIC 530 may have thousands of available virtualfunctions according to the SR-IOV standard, but for I/O-intensiveapplications the number of configured virtual functions is typicallymuch smaller.

Computing device 500 may be coupled to a physical network switch fabricthat includes an overlay network that extends switch fabric fromphysical switches to software or “virtual” routers of physical serverscoupled to the switch fabric, including virtual router 506. Virtualrouters may be processes or threads, or a component thereof, executed bythe physical servers, e.g., servers 12 of FIG. 1 , that dynamicallycreate and manage one or more virtual networks usable for communicationbetween virtual network endpoints. In one example, virtual routersimplement each virtual network using an overlay network, which providesthe capability to decouple an endpoint's virtual address from a physicaladdress (e.g., IP address) of the server on which the endpoint isexecuting. Each virtual network may use its own addressing and securityscheme and may be viewed as orthogonal from the physical network and itsaddressing scheme. Various techniques may be used to transport packetswithin and across virtual networks over the physical network. The term“virtual router” as used herein may encompass an Open vSwitch (OVS), anOVS bridge, a Linux bridge, Docker bridge, or other device and/orsoftware that is located on a host device and performs switching,bridging, or routing packets among virtual network endpoints of one ormore virtual networks, where the virtual network endpoints are hosted byone or more of servers 12. In the example computing device 500 of FIG. 5, virtual router 506 executes within user space as a DPDK-based virtualrouter, but virtual router 506 may execute within a hypervisor, a hostoperating system, a host application, or a virtual machine in variousimplementations.

Virtual router 506 may replace and subsume the virtual routing/bridgingfunctionality of the Linux bridge/OVS module that is commonly used forKubernetes deployments of pods 502. Virtual router 506 may performbridging (e.g., E-VPN) and routing (e.g., L3VPN, IP-VPNs) for virtualnetworks. Virtual router 506 may perform networking services such asapplying security policies, NAT, multicast, mirroring, and loadbalancing.

Virtual router 506 can be executing as a kernel module or as a userspace DPDK process (virtual router 506 is shown here in user space 545).Virtual router agent 514 may also be executing in user space. In theexample computing device 500, virtual router 506 executes within userspace as a DPDK-based virtual router, but virtual router 506 may executewithin a hypervisor, a host operating system, a host application, or avirtual machine in various implementations. Virtual router agent 514 hasa connection to network controller 24 using a channel, which is used todownload configurations and forwarding information. Virtual router agent514 programs this forwarding state to the virtual router data (or“forwarding”) plane represented by virtual router 506. Virtual router506 and virtual router agent 514 may be processes. Virtual router 506and virtual router agent 514 containerized/cloud-native.

Virtual router 506 may replace and subsume the virtual routing/bridgingfunctionality of the Linux bridge/OVS module that is commonly used forKubernetes deployments of pods 502. Virtual router 506 may performbridging (e.g., E-VPN) and routing (e.g., L3VPN, IP-VPNs) for virtualnetworks. Virtual router 506 may perform networking services such asapplying security policies, NAT, multicast, mirroring, and loadbalancing.

Virtual router 506 may be multi-threaded and execute on one or moreprocessor cores. Virtual router 506 may include multiple queues. Virtualrouter 506 may implement a packet processing pipeline. The pipeline canbe stitched by the virtual router agent 514 from the simplest to themost complicated manner depending on the operations to be applied to apacket. Virtual router 506 may maintain multiple instances of forwardingbases. Virtual router 506 may access and update tables using RCU (ReadCopy Update) locks.

To send packets to other compute nodes or switches, virtual router 506uses one or more physical interfaces 532. In general, virtual router 506exchanges overlay packets with workloads, such as VMs or pods 502.Virtual router 506 has multiple virtual network interfaces (e.g., vifs).These interfaces may include the kernel interface, vhost0, forexchanging packets with the host operating system; an interface withvirtual router agent 514, pkt0, to obtain forwarding state from thenetwork controller and to send up exception packets. There may be one ormore virtual network interfaces corresponding to the one or morephysical network interfaces 532. Other virtual network interfaces ofvirtual router 506 are for exchanging packets with the workloads.

In a kernel-based deployment of virtual router 506 (not shown), virtualrouter 506 is installed as a kernel module inside the operating system.Virtual router 506 registers itself with the TCP/IP stack to receivepackets from any of the desired operating system interfaces that itwants to. The interfaces can be bond, physical, tap (for VMs), veth (forcontainers) etc. Virtual router 506 in this mode relies on the operatingsystem to send and receive packets from different interfaces. Forexample, the operating system may expose a tap interface backed by avhost-net driver to communicate with VMs. Once virtual router 506registers for packets from this tap interface, the TCP/IP stack sendsall the packets to it. Virtual router 506 sends packets via an operatingsystem interface. In addition, NIC queues (physical or virtual) arehandled by the operating system. Packet processing may operate ininterrupt mode, which generates interrupts and may lead to frequentcontext switching. When there is a high packet rate, the overheadattendant with frequent interrupts and context switching may overwhelmthe operating system and lead to poor performance.

In a DPDK-based deployment of virtual router 506 (shown in FIG. 5 ),virtual router 506 is installed as a user space 545 application that islinked to the DPDK library. This may lead to faster performance than akernel-based deployment, particularly in the presence of high packetrates. The physical interfaces 532 are used by the poll mode drivers(PMDs) of DPDK rather the kernel's interrupt-based drivers. Theregisters of physical interfaces 532 may be exposed into user space 545in order to be accessible to the PMDs; a physical interface 532 bound inthis way is no longer managed by or visible to the host operatingsystem, and the DPDK-based virtual router 506 manages the physicalinterface 532. This includes packet polling, packet processing, andpacket forwarding. In other words, user packet processing steps areperformed by the virtual router 506 DPDK data plane. The nature of this“polling mode” makes the virtual router 506 DPDK data plane packetprocessing/forwarding much more efficient as compared to the interruptmode when the packet rate is high. There are comparatively fewinterrupts and context switching during packet I/O, compared tokernel-mode virtual router 506, and interrupt and context switchingduring packet I/O may in some cases be avoided altogether.

In general, each of pods 502A-502B may be assigned one or more virtualnetwork addresses for use within respective virtual networks, where eachof the virtual networks may be associated with a different virtualsubnet provided by virtual router 506. Pod 502B may be assigned its ownvirtual layer three (L3) IP address, for example, for sending andreceiving communications but may be unaware of an IP address of thecomputing device 500 on which the pod 502B executes. The virtual networkaddress may thus differ from the logical address for the underlying,physical computer system, e.g., computing device 500.

Computing device 500 includes a virtual router agent 514 that controlsthe overlay of virtual networks for computing device 500 and thatcoordinates the routing of data packets within computing device 500. Ingeneral, virtual router agent 514 communicates with network controller24 for the virtualization infrastructure, which generates commands tocreate virtual networks and configure network virtualization endpoints,such as computing device 500 and, more specifically, virtual router 506,as a well as virtual network interface 212. By configuring virtualrouter 506 based on information received from network controller 24,virtual router agent 514 may support configuring network isolation,policy-based security, a gateway, source network address translation(SNAT), a load-balancer, and service chaining capability fororchestration.

In one example, network packets, e.g., layer three (L3) IP packets orlayer two (L2) Ethernet packets generated or consumed by the containers529A-529B within the virtual network domain may be encapsulated inanother packet (e.g., another IP or Ethernet packet) that is transportedby the physical network. The packet transported in a virtual network maybe referred to herein as an “inner packet” while the physical networkpacket may be referred to herein as an “outer packet” or a “tunnelpacket.” Encapsulation and/or de-capsulation of virtual network packetswithin physical network packets may be performed by virtual router 506.This functionality is referred to herein as tunneling and may be used tocreate one or more overlay networks. Besides IPinIP, other exampletunneling protocols that may be used include IP over Generic RouteEncapsulation (GRE), VxLAN, Multiprotocol Label Switching (MPLS) overGRE, MPLS over User Datagram Protocol (UDP), etc. Virtual router 506performs tunnel encapsulation/decapsulation for packets sourcedby/destined to any containers of pods 502, and virtual router 506exchanges packets with pods 502 via bus 542 and/or a bridge of NIC 530.

As noted above, a network controller 24 may provide a logicallycentralized controller for facilitating operation of one or more virtualnetworks. The network controller 24 may, for example, maintain a routinginformation base, e.g., one or more routing tables that store routinginformation for the physical network as well as one or more overlaynetworks. Virtual router 506 implements one or more virtual routing andforwarding instances (VRFs), such as VRF 222A, for respective virtualnetworks for which virtual router 506 operates as respective tunnelendpoints. In general, each of the VRFs stores forwarding informationfor the corresponding virtual network and identifies where data packetsare to be forwarded and whether the packets are to be encapsulated in atunneling protocol, such as with a tunnel header that may include one ormore headers for different layers of the virtual network protocol stack.Each of the VRFs may include a network forwarding table storing routingand forwarding information for the virtual network.

NIC 530 may receive tunnel packets. Virtual router 506 processes thetunnel packet to determine, from the tunnel encapsulation header, thevirtual network of the source and destination endpoints for the innerpacket. Virtual router 506 may strip the layer 2 header and the tunnelencapsulation header to internally forward only the inner packet. Thetunnel encapsulation header may include a virtual network identifier,such as a VxLAN tag or MPLS label, that indicates a virtual network,e.g., a virtual network corresponding to VRF 222A. VRF 222A may includeforwarding information for the inner packet. For instance, VRF 222A maymap a destination layer 3 address for the inner packet to virtualnetwork interface 212. VRF 222A forwards the inner packet via virtualnetwork interface 212 to pod 502A in response.

Containers 529A may also source inner packets as source virtual networkendpoints. Container 529A, for instance, may generate a layer 3 innerpacket destined for a destination virtual network endpoint that isexecuted by another computing device (i.e., not computing device 500) orfor another one of containers. Container 529A may sends the layer 3inner packet to virtual router 506 via the virtual network interfaceattached to VRF 222A.

Virtual router 506 receives the inner packet and layer 2 header anddetermines a virtual network for the inner packet. Virtual router 506may determine the virtual network using any of the above-describedvirtual network interface implementation techniques (e.g., macvlan,veth, etc.). Virtual router 506 uses the VRF 222A corresponding to thevirtual network for the inner packet to generate an outer header for theinner packet, the outer header including an outer IP header for theoverlay tunnel and a tunnel encapsulation header identifying the virtualnetwork. Virtual router 506 encapsulates the inner packet with the outerheader. Virtual router 506 may encapsulate the tunnel packet with a newlayer 2 header having a destination layer 2 address associated with adevice external to the computing device 500, e.g., a TOR switch 16 orone of servers 12. If external to computing device 500, virtual router506 outputs the tunnel packet with the new layer 2 header to NIC 530using physical function 221. NIC 530 outputs the packet on an outboundinterface. If the destination is another virtual network endpointexecuting on computing device 500, virtual router 506 routes the packetto the appropriate one of virtual network interfaces 212, 213.

In some examples, a controller for computing device 500 (e.g., networkcontroller 24 of FIG. 1 ) configures a default route in each of pods 502to cause the pod to use virtual router 506 as an initial next hop foroutbound packets. In some examples, NIC 530 is configured with one ormore forwarding rules to cause all packets received from the pod to beswitched to virtual router 506.

Pod 502A includes one or more application containers 529A. Pod 502Bincludes an instance of containerized routing protocol daemon (cRPD)560. Container platform 588 includes container runtime 590,orchestration agent 592, service proxy 593, and CNI 570.

Container engine 590 includes code executable by microprocessor 510.Container runtime 590 may be one or more computer processes. Containerengine 590 runs containerized applications in the form of containers529A-529B. Container engine 590 may represent a Dockert, rkt, or othercontainer engine for managing containers. In general, container engine590 receives requests and manages objects such as images, containers,networks, and volumes. An image is a template with instructions forcreating a container. A container is an executable instance of an image.Based on directives from controller agent 592, container engine 590 mayobtain images and instantiate them as executable containers in pods502A-502B.

Service proxy 593 includes code executable by microprocessor 510.Service proxy 593 may be one or more computer processes. Service proxy593 monitors for the addition and removal of service and endpointsobjects, and it maintains the network configuration of the computingdevice 500 to ensure communication among pods and containers, e.g.,using services. Service proxy 593 may also manage iptables to capturetraffic to a service's virtual IP address and port and redirect thetraffic to the proxy port that proxies a backed pod. Service proxy 593may represent a kube-proxy for a minion node of a Kubernetes cluster. Insome examples, container platform 588 does not include a service proxy593 or the service proxy 593 is disabled in favor of configuration ofvirtual router 506 and pods 502 by CNI 570.

Orchestration agent 592 includes code executable by microprocessor 510.Orchestration agent 592 may be one or more computer processes.Orchestration agent 592 may represent a kubelet for a minion node of aKubernetes cluster. Orchestration agent 592 is an agent of anorchestrator, e.g., orchestrator 23 of FIG. 1 , that receives containerspecification data for containers and ensures the containers execute bycomputing device 500. Container specification data may be in the form ofa manifest file sent to orchestration agent 592 from orchestrator 23 orindirectly received via a command line interface, HTTP endpoint, or HTTPserver. Container specification data may be a pod specification (e.g., aPodSpec—a YAML (Yet Another Markup Language) or JSON object thatdescribes a pod) for one of pods 502 of containers. Based on thecontainer specification data, orchestration agent 592 directs containerengine 590 to obtain and instantiate the container images for containers529, for execution of containers 529 by computing device 500.

Orchestration agent 592 instantiates or otherwise invokes CNI 570 toconfigure one or more virtual network interfaces for each of pods 502.For example, orchestration agent 592 receives a container specificationdata for pod 502A and directs container engine 590 to create the pod502A with containers 529A based on the container specification data forpod 502A. Orchestration agent 592 also invokes the CNI 570 to configure,for pod 502A, virtual network interface for a virtual networkcorresponding to VRFs 222A. In this example, pod 502A is a virtualnetwork endpoint for a virtual network corresponding to VRF 222A.

CNI 570 may obtain interface configuration data for configuring virtualnetwork interfaces for pods 502. Virtual router agent 514 operates as avirtual network control plane module for enabling network controller 24to configure virtual router 506. Unlike the orchestration control plane(including the container platforms 588 for minion nodes and the masternode(s), e.g., orchestrator 23), which manages the provisioning,scheduling, and managing virtual execution elements, a virtual networkcontrol plane (including network controller 24 and virtual router agent514 for minion nodes) manages the configuration of virtual networksimplemented in the data plane in part by virtual routers 506 of theminion nodes. Virtual router agent 514 communicates, to CNI 570,interface configuration data for virtual network interfaces to enable anorchestration control plane element (i.e., CNI 570) to configure thevirtual network interfaces according to the configuration statedetermined by the network controller 24, thus bridging the gap betweenthe orchestration control plane and virtual network control plane. Inaddition, this may enable a CNI 570 to obtain interface configurationdata for multiple virtual network interfaces for a pod and configure themultiple virtual network interfaces, which may reduce communication andresource overhead inherent with invoking a separate CNI 570 forconfiguring each virtual network interface.

Containerized routing protocol daemons are described in U.S. applicationSer. No. 17/649,632, filed Feb. 1, 2022, which is incorporated byreference herein in its entirety.

FIG. 6 is a block diagram of an example computing device operating as acompute node for one or more clusters for an SDN architecture system, inaccordance with techniques of this disclosure. Computing device 1300 mayrepresent one or more real or virtual servers. Computing device 1300 mayin some instances implement one or more master nodes for respectiveclusters, or for multiple clusters.

Scheduler 1322, access control manager 305, API server 300A, controller406A, custom API server 301A, custom resource controller 302A,controller manager 1326, SDN controller manager 1325, control node 232A,and configuration store 1328, although illustrated and described asbeing executed by a single computing device 1300, may be distributedamong multiple computing devices that make up a computing system orhardware/server cluster. Each of the multiple computing devices, inother words, may provide a hardware operating environment for one ormore instances of any one or more of scheduler 1322, access controlmanager 305, API server 300A, controller 406A, custom API server 301A,custom resource controller 302A, network controller manager 1326,network controller 1324, SDN controller manager 1325, control node 232A,or configuration store 1328.

Computing device 1300 includes in this example, a bus 1342 couplinghardware components of a computing device 1300 hardware environment. Bus1342 couples network interface card (NIC) 1330, storage disk 1346, andone or more microprocessors 1310 (hereinafter, “microprocessor 1310”). Afront-side bus may in some cases couple microprocessor 1310 and memorydevice 1344. In some examples, bus 1342 may couple memory device 1344,microprocessor 1310, and NIC 1330. Bus 1342 may represent a PeripheralComponent Interface (PCI) express (PCIe) bus. In some examples, a directmemory access (DMA) controller may control DMA transfers amongcomponents coupled to bus 242. In some examples, components coupled tobus 1342 control DMA transfers among components coupled to bus 1342.

Microprocessor 1310 may include one or more processors each including anindependent execution unit to perform instructions that conform to aninstruction set architecture, the instructions stored to storage media.Execution units may be implemented as separate integrated circuits (ICs)or may be combined within one or more multi-core processors (or“many-core” processors) that are each implemented using a single IC(i.e., a chip multiprocessor).

Disk 1346 represents computer readable storage media that includesvolatile and/or non-volatile, removable and/or non-removable mediaimplemented in any method or technology for storage of information suchas processor-readable instructions, data structures, program modules, orother data. Computer readable storage media includes, but is not limitedto, random access memory (RAM), read-only memory (ROM), EEPROM, Flashmemory, CD-ROM, digital versatile discs (DVD) or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium that can be used to storethe desired information and that can be accessed by microprocessor 1310.

Main memory 1344 includes one or more computer-readable storage media,which may include random-access memory (RAM) such as various forms ofdynamic RAM (DRAM), e.g., DDR2/DDR3 SDRAM, or static RAM (SRAM), flashmemory, or any other form of fixed or removable storage medium that canbe used to carry or store desired program code and program data in theform of instructions or data structures and that can be accessed by acomputer. Main memory 1344 provides a physical address space composed ofaddressable memory locations.

Network interface card (NIC) 1330 includes one or more interfaces 3132configured to exchange packets using links of an underlying physicalnetwork. Interfaces 3132 may include a port interface card having one ormore network ports. NIC 1330 may also include an on-card memory to,e.g., store packet data. Direct memory access transfers between the NIC1330 and other devices coupled to bus 1342 may read/write from/to theNIC memory.

Memory 1344, NIC 1330, storage disk 1346, and microprocessor 1310 mayprovide an operating environment for a software stack that includes anoperating system kernel 1314 executing in kernel space. Kernel 1314 mayrepresent, for example, a Linux, Berkeley Software Distribution (BSD),another Unix-variant kernel, or a Windows server operating systemkernel, available from Microsoft Corp. In some instances, the operatingsystem may execute a hypervisor and one or more virtual machines managedby hypervisor. Example hypervisors include Kernel-based Virtual Machine(KVM) for the Linux kernel, Xen, ESXi available from VMware, WindowsHyper-V available from Microsoft, and other open-source and proprietaryhypervisors. The term hypervisor can encompass a virtual machine manager(VMM). An operating system that includes kernel 1314 provides anexecution environment for one or more processes in user space 1345.Kernel 1314 includes a physical driver 1327 to use the network interfacecard 1330.

Computing device 1300 may be coupled to a physical network switch fabricthat includes an overlay network that extends switch fabric fromphysical switches to software or virtual routers of physical serverscoupled to the switch fabric, such virtual routers 21. Computing device1300 may use one or more dedicated virtual networks to configure minionnodes of a cluster.

API server 300A, access control manager 305, scheduler 1322, controller406A, custom API server 301A, custom resource controller 302A,controller manager 1326, and configuration store 1328 may implement amaster node for a cluster and be alternatively referred to as “mastercomponents.” The cluster may be a Kubernetes cluster and the master nodea Kubernetes master node, in which case the master components areKubernetes master components.

Each of API server 300A, access control manager 305, controller 406A,custom API server 301A, and custom resource controller 302A includescode executable by microprocessor 1310. Custom API server 301A validatesand configures data for custom resources for SDN architectureconfiguration. A service may be an abstraction that defines a logicalset of pods and the policy used to access the pods. The set of podsimplementing a service are selected based on the service definition. Aservice may be implemented in part as, or otherwise include, a loadbalancer. API server 300A and custom API server 301A may implement aRepresentational State Transfer (REST) interface to process RESToperations and provide the frontend, as part of the configuration planefor an SDN architecture, to a corresponding cluster's shared statestored to configuration store 1328. API server 300A may represent aKubernetes API server.

Access control manager 305 is configured to perform the techniquesdescribed throughout this disclosure to generate access control policiesfor roles. For example, as API server 300A and custom API server 301Areceive functions specified by a request to generate an access controlpolicy for a role, access control manager 305 may enable logging of theexecution of the functions by API server 300A and custom API server 301Ain an audit log. Access control manager 305 may filter and/or parse theaudit log to determine a plurality of resources accessed from executingthe and to determine, for each resource, a respective one or more typesof operations performed on the respective resource. Access controlmanager 305 may therefore create, based at least in part on the parsedaudit log, the access control policy for the role that permits a role toperform, on each of the plurality of resources, the respective one ormore types of operations.

Configuration store 1328 is a backing store for all cluster data.Cluster data may include cluster state and configuration data.Configuration data may also provide a backend for service discoveryand/or provide a locking service. Configuration store 1328 may beimplemented as a key value store. Configuration store 1328 may be acentral database or distributed database. Configuration store 1328 mayrepresent an etcd store. Configuration store 1328 may represent aKubernetes configuration store. In some examples, configuration store1328 may store the access control policies generated using thetechniques described throughout this disclosure and/or other configuredaccess control policies.

Scheduler 1322 includes code executable by microprocessor 1310.Scheduler 1322 may be one or more computer processes. Scheduler 1322monitors for newly created or requested virtual execution elements(e.g., pods of containers) and selects a minion node on which thevirtual execution elements are to run. Scheduler 1322 may select aminion node based on resource requirements, hardware constraints,software constraints, policy constraints, locality, etc. Scheduler 1322may represent a Kubernetes scheduler.

In general, API server 1320 may invoke the scheduler 1322 to schedule apod. Scheduler 1322 may select a minion node and returns an identifierfor the selected minion node to API server 1320, which may write theidentifier to the configuration store 1328 in association with the pod.API server 1320 may invoke the orchestration agent 310 for the selectedminion node, which may cause the container engine 208 for the selectedminion node to obtain the pod from a storage server and create thevirtual execution element on the minion node. The orchestration agent310 for the selected minion node may update the status for the pod tothe API server 1320, which persists this new state to the configurationstore 1328. In this way, computing device 1300 instantiates new pods inthe computing infrastructure 8.

Controller manager 1326 includes code executable by microprocessor 1310.Controller manager 1326 may be one or more computer processes.Controller manager 1326 may embed the core control loops, monitoring ashared state of a cluster by obtaining notifications from API Server1320. Controller manager 1326 may attempt to move the state of thecluster toward the desired state. Example controller 406A and customresource controller 302A may be managed by the controller manager 1326.Other controllers may include a replication controller, endpointscontroller, namespace controller, and service accounts controller.Controller manager 1326 may perform lifecycle functions such asnamespace creation and lifecycle, event garbage collection, terminatedpod garbage collection, cascading-deletion garbage collection, nodegarbage collection, etc. Controller manager 1326 may represent aKubernetes Controller Manager for a Kubernetes cluster.

A network controller for an SDN architecture described herein mayprovide cloud networking for a computing architecture operating over anetwork infrastructure. Cloud networking may include private clouds forenterprise or service providers, infrastructure as a service (IaaS), andvirtual private clouds (VPCs) for cloud service providers (CSPs). Theprivate cloud, VPC, and IaaS use cases may involve a multi-tenantvirtualized data centers, such as that described with respect to FIG. 1. In such cases, multiple tenants in a data center share the samephysical resources (physical servers, physical storage, physicalnetwork). Each tenant is assigned its own logical resources (virtualmachines, containers, or other form of virtual execution elements;virtual storage; virtual networks). These logical resources are isolatedfrom each other, unless specifically allowed by security policies. Thevirtual networks in the data center may also be interconnected to aphysical IP VPN or L2 VPN.

The network controller (or “SDN controller”) may provide networkfunction virtualization (NFV) to networks, such as business edgenetworks, broadband subscriber management edge networks, and mobile edgenetworks. NFV involves orchestration and management of networkingfunctions such as a Firewalls, Intrusion Detection or PreventionsSystems (IDS/IPS), Deep Packet Inspection (DPI), caching, Wide AreaNetwork (WAN) optimization, etc. in virtual machines, containers, orother virtual execution elements instead of on physical hardwareappliances.

SDN controller manager 1325 includes code executable by microprocessor1310. SDN controller manager 1325 may be one or more computer processes.SDN controller manager 1325 operates as an interface between theorchestration-oriented elements (e.g., scheduler 1322, API server 300Aand custom API server 301A, controller manager 1326, and configurationstore 1328). In general, SDN controller manager 1325 monitors thecluster for new Kubernetes native objects (e.g., pods and services). SDNcontroller manager 1325 may isolate pods in virtual networks and connectpods with services.

SDN controller manager 1325 may be executed as a container of the masternode for a cluster. In some cases, using SDN controller manager 1325enables disabling the service proxies of minion nodes (e.g., theKubernetes kube-proxy) such that all pod connectivity is implementedusing virtual routers, as described herein.

Components of the network controller 24 may operate as a CNI forKubernetes and may support multiple deployment modes. CNI 17, CNI 750are the compute node interfaces for this overall CNI framework formanaging networking for Kubernetes. The deployment modes can be dividedinto two categories: (1) an SDN architecture cluster as a CNI integratedinto a workload Kubernetes cluster, and (2) an SDN architecture clusteras a CNI that is separate from the workload Kubernetes clusters.

Integrated with Workload Kubernetes Cluster

Components of the network controller 24 (e.g., custom API server 301,custom resource controller 302, SDN controller manager 1325, and controlnodes 232) are running in the managed Kubernetes cluster on masternodes, close to the Kubernetes controller components. In this mode,components of network controller 24 are effectively part of the sameKubernetes cluster as the workloads.

Separate from Workload Kubernetes Clusters

Components of the network controller 24 will be executed by a separateKubernetes cluster from the workload Kubernetes clusters.

SDN controller manager 1325 may use a controller framework for theorchestration platform to listen for (or otherwise monitor for) changesin objects that are defined in the Kubernetes native API and to addannotations to some of these objects. The annotations may be labels orother identifiers specifying properties of the objects (e.g., “VirtualNetwork Green”). SDN controller manager 1325 is a component of the SDNarchitecture that listens to Kubernetes core resources (such as Pod,NetworkPolicy, Service, etc.) events and converts those to customresources for SDN architecture configuration as needed. The CNI plugin(e.g., CNIs 17, 570) is an SDN architecture component supporting theKubernetes networking plugin standard: container network interface.

SDN controller manager 1325 may create a network solution for theapplication using the REST interface exposed by aggregated API 402 todefine network objects such as virtual networks, virtual networkinterfaces, and access control policies. Network controller 24components may implement the network solution in the computinginfrastructure by, e.g., configuring the one or more virtual network andvirtual network interfaces in the virtual routers. (This is merely oneexample of an SDN configuration.)

The following example deployment configuration for this applicationconsists of a pod and the virtual network information for the pod:

apiVersion: v1 kind: Pod metadata:  name: multi-net-pod  annotations:  networks: ′[    { ″name″: ″red-network″ },    { ″name″: ″blue-network″},    { ″name″: ″default/extns-network″ }   ]′ spec:  containers:  -image: busybox   command:    - sleep    - ″3600″   imagePullPolicy:IfNotPresent   name: busybox   stdin: true   tty: true restartPolicy:Always

This metadata information may be copied to each pod replica created bythe controller manager 1326. When the SDN controller manager 1325 isnotified of these pods, SDN controller manager 1325 may create virtualnetworks as listed in the annotations (“red-network”, “blue-network”,and “default/extns-network” in the above example) and create, for eachof the virtual networks, a virtual network interface per-pod replica(e.g., pod 202A) with a unique private virtual network address from acluster-wide address block (e.g. 10.0/16) for the virtual network.

Additional techniques in accordance with this disclosure are describedbelow. Contrail is an example network controller architecture. ContrailCNI may be a CNI developed for Contrail. A cloud-native Contrailcontroller may be an example of a network controller described in thisdisclosure, such as network controller 24.

FIG. 7A is a block diagram illustrating control/routing planes forunderlay network and overlay network configuration using an SDNarchitecture, according to techniques of this disclosure. FIG. 7B is ablock diagram illustrating a configured virtual network to connect podsusing a tunnel configured in the underlay network, according totechniques of this disclosure.

Network controller 24 for the SDN architecture may use distributed orcentralized routing plane architectures. The SDN architecture may use acontainerized routing protocol daemon (process).

From the perspective of network signaling, the routing plane can workaccording to a distributed model, where a cRPD runs on every computenode in the cluster. This essentially means that the intelligence isbuilt into the compute nodes and involves complex configurations at eachnode. The route reflector (RR) in this model may not make intelligentrouting decisions but is used as a relay to reflect routes between thenodes. A distributed container routing protocol daemon (cRPD) is arouting protocol process that may be used wherein each compute node runsits own instance of the routing daemon. At the same time, a centralizedcRPD master instance may act as an RR to relay routing informationbetween the compute nodes. The routing and configuration intelligence isdistributed across the nodes with an RR at the central location.

The routing plane can alternatively work according to a more centralizedmodel, in which components of network controller runs centrally andabsorbs the intelligence needed to process configuration information,construct the network topology, and program the forwarding plane intothe virtual routers. The virtual router agent is a local agent toprocess information being programmed by the network controller. Thisdesign leads to facilitates more limited intelligence required at thecompute nodes and tends to lead to simpler configuration states.

The centralized control plane provides for the following:

-   -   Allows for the agent routing framework to be simpler and        lighter. The complexity and limitations of BGP are hidden from        the agent. There is no need for the agent to understand concepts        like route-distinguishers, route-targets, etc. The agents just        exchange prefixes and build its forwarding information        accordingly    -   Control nodes can do more than routing. They build on the        virtual network concept and can generate new routes using route        replication and re-origination (for instance to support features        like service chaining and inter-VN routing, among other use        cases).    -   Building the BUM tree for optimal broadcast and multicast        forwarding.

Note that the control plane has a distributed nature for certainaspects. As a control plane supporting distributed functionality, itallows each local virtual router agent to publish its local routes andsubscribe for configuration on a need-to-know basis.

It makes sense then to think of the control plane design from a toolingPOV and use tools at hand appropriately where they fit best. Considerthe set of pros and cons of contrail-bgp and cRPD.

The following functionalities may be provided by cRPDs or control nodesof network controller 24,

Routing Daemon/Process

Both control nodes and cRPDs can act as routing daemons implementing;different protocols and having the capability to program routinginformation in the forwarding plane.

cRPD implements routing protocols with a rich routing stack thatincludes interior gateway protocols (IGPs) (e.g., intermediate system tointermediate system (IS-IS)), BGP-LU, BGP-CT, SR-MPLS/SRv6,bidirectional forwarding detection (BFD), path computation elementprotocol (PCEP), etc. It can also be deployed to provide control planeonly services such as a route-reflector and is popular in internetrouting use-cases due to these capabilities.

Control nodes 232 also implement routing protocols but are predominantlyBGP-based. Control nodes 232 understands overlay networking. Controlnodes 232 provide a rich feature set in overlay virtualization and caterto SDN use cases. Overlay features such as virtualization (using theabstraction of a virtual network) and service chaining are very popularamong telco and cloud providers. cRPD may not in some cases includesupport for such overlay functionality. However, the rich feature set ofCRPD provides strong support for the underlay network.

Network Orchestration/Automation

Routing functionality is just one part of the control nodes 232. Anintegral part of overlay networking is orchestration. Apart fromproviding overlay routing, control nodes 232 help in modeling theorchestration functionality and provide network automation. Central toorchestration capabilities of control nodes 232 is an ability to use thevirtual network (and related objects)-based abstraction to model networkvirtualization. Control nodes 232 interface with the configuration nodes230 to relay configuration information to both the control plane and thedata plane. Control nodes 232 also assist in building overlay trees formulticast layer 2 and layer 3. For example, a control node may build avirtual topology of the cluster it serves to achieve this. cRPD does nottypically include such orchestration capabilities.

High Availability and Horizontal Scalability

Control node design is more centralized while cRPD is more distributed.There is a cRPD worker node running on each compute node. Control nodes232 on the other hand do not run on the compute and can even run on aremote cluster (i.e., separate and in some cases geographically remotefrom the workload cluster). Control nodes 232 also provide horizontalscalability for HA and run in active-active mode. The compute load isshared among the control nodes 232. cRPD on the other hand does nottypically provide horizontal scalability. Both control nodes 232 andcRPD may provide HA with graceful restart and may allow for data planeoperation in headless mode—wherein the virtual router can run even ifthe control plane restarts.

The control plane should be more than just a routing daemon. It shouldsupport overlay routing and network orchestration/automation, while cRPDdoes well as a routing protocol in managing underlay routing. cRPD,however, typically lacks network orchestration capabilities and does notprovide strong support for overlay routing.

Accordingly, in some examples, the SDN architecture may have cRPD on thecompute nodes as shown in FIGS. 7A-7B. FIG. 7A illustrates SDNarchitecture 700, which may represent an example implementation SDNarchitecture 200 or 400. In SDN architecture 700, cRPD 324 runs on thecompute nodes and provide underlay routing to the forwarding plane whilerunning a centralized (and horizontally scalable) set of control nodes232 providing orchestration and overlay services. In some examples,instead of running cRPD 324 on the compute nodes, a default gateway maybe used.

cRPD 324 on the compute nodes provides rich underlay routing to theforwarding plane by interacting with virtual router agent 514 usinginterface 540, which may be a gRPC interface. The virtual router agentinterface may permit programming routes, configuring virtual networkinterfaces for the overlay, and otherwise configuring virutal router506. This is described in further detail in U.S. application Ser. No.17/649,632. At the same time, one or more control nodes 232 run asseparate pods providing overlay services. SDN architecture 700 may thusobtain both a rich overlay and orchestration provided by control nodes232 and modern underlay routing by cRPD 324 on the compute nodes tocomplement control nodes 232. A separate cRPD controller 720 may be usedto configure the cRPDs 324. cRPD controller 720 may be a device/elementmanagement system, network management system, orchestrator, a userinterface/CLI, or other controller. cRPDs 324 run routing protocols andexchange routing protocol messages with routers, including other cRPDs324. Each of cRPDs 324 may be a containerized routing protocol processand effectively operates as a software-only version of a router controlplane.

The enhanced underlay routing provided by cRPD 324 may replace thedefault gateway at the forwarding plane and provide a rich routing stackfor use cases that can be supported. In some examples that do not usecRPD 324, virtual router 506 will rely on the default gateway forunderlay routing. In some examples, cRPD 324 as the underlay routingprocess will be restricted to program only the default inet(6).0 fabricwith control plane routing information. In such examples, non-defaultoverlay VRFs may be programmed by control nodes 232.

FIGS. 7A-7B illustrate the dual routing/control plane solution describedabove. In FIG. 7A, cRPD 324 provides underlay routing/forwardinginformation to virtual router agent 514, similar in some respect to howa router control plane programs a router forwarding/data plane.

As shown in FIG. 7B, cRPDs 324 exchange routing information usable tocreate tunnels through the underlay network 702 for VRFs. Tunnel 710 isan example and connects virtual routers 506 of server 12A and server12X. Tunnel 710 may represent an segment routing (SR) or SRv6 tunnel, aGeneric Route Encapsulation (GRE) tunnel, and IP-in-IP tunnel, an LSP,or other tunnel. Control nodes 232 leverages tunnel 710 to createvirtual network 712 connecting pods 22 of server 12A and server 12X thatare attached to the VRF for the virtual network.

As noted above, cRPD 324 and virtual router agent 514 may exchangerouting information using a gRPC interface, and virtual router agent5145 may program virtual router 506 with configuration using the gRPCinterface. As also noted, control nodes 232 may be used for overlay andorchestration while cRPD 324 may be used for managing the underlayrouting protocols. Virtual router agent 514 may use gRPC interface withcRPD 324 while using XMPP to communicate with the control node and adomain name service (DNS).

The gRPC model works well for cRPD 324 since there may be a workerrunning on every compute node, and the virtual router agent 314 acts asthe gRPC server exposing services for the client (cRPD 324) to use toprogram routing and configuration information (for underlay). gRPC isthus an attractive as a solution when compared to XMPP. In particular,it transports data as a binary stream and there is no added overhead inencoding/decoding data to be sent over it.

In some examples, control nodes 232 may interface with virtual routeragents 514 using XMPP. With virtual router agent 514 acting as the gRPCserver, cRPD 324 acts as the gRPC client. This would mean that theclient (cRPD) needs to initiate the connection towards the server(vRouter Agent). SDN architecture 700, virtual router agent 514 choosesthe set of control nodes 232 it will subscribe to (since there aremultiple control nodes). In that aspect, the control node 232 acts asthe server and the virtual router agent 514 connects as the client andsubscribes for updates.

With gRPC, the control node 232 would need to pick the virtual routeragents 514 it needs to connect to and then subscribe as a client. Sincethe control node 232 does not run on every compute node, this wouldrequire implementing an algorithm to choose the virtual router agents514 it can subscribe to. Further, the control nodes 232 need tosynchronize this information amongst each other. This also complicatesthe case when restarts happen and there is a need for synchronizationbetween the control nodes 232 to pick the agents they serve. Featuressuch as Graceful Restart (GR) and Fast Convergence have already beenimplemented on top of XMPP. XMPP is already lightweight and effective.Therefore, XMPP may be advantageous over gRPC for control node 232 tovirtual router agent 514 communications.

Additional enhancements to control nodes 232 and the use thereof are asfollows. HA and horizontal scalability with three control-nodes. Likeany routing platform, it should be sufficient to have just two controlnodes 232 to satisfy the HA requirements. In many cases, this isadvantageous. (However, one or more control nodes 232 may be used.) Forexample, it provides more deterministic infrastructure and in-line withstandard routing best-practices. Each virtual router agent 514 isattached to a unique pair of control nodes 232 to avoid randomness. Withtwo control nodes 232, debugging may be simpler. In addition, edgereplication for constructing multicast/broadcast trees may be simplifiedwith only two control node 232. Currently, since virtual router agents314 only connect to two of the three control nodes, all the controlnodes may not have the complete picture of the tree for some time andrely on BGP to sync states between them. This is exacerbated with threecontrol nodes 232 since virtual router agents 314 may choose two atrandom. If there were only two control nodes 232, every virtual routeragent 314 would connect to the same control nodes. This, in turn, wouldmean that control nodes 232 need not rely on BGP to sync states and willhave the same picture of the multicast tree.

SDN architecture 200 may provide for ingress replication as analternative to edge-replication and provide users the option. Ingressreplication can be viewed as a special degenerate case of generaloverlay multicast trees. In practice, however, the signaling of ingressreplication trees is much simpler than the signaling of general overlaymulticast trees. With ingress replication, every virtual router 21 endsup with a tree with itself as the root and every other vrouter as theleaf. A virtual router 21 going down should theoretically not result inrebuilding the tree. Note that the performance of ingress replicationdeteriorates with larger clusters. However, it works well for smallerclusters. Furthermore, multicast is not a popular and prevalentrequirement for many customers. It is mostly limited to transportbroadcast BUM traffic, which only happens initially.

Configuration Handling Module Enhancements

In convention SDN architectures, the network controller handles theorchestration for all use cases. The configuration nodes translateintents into configuration objects based on the data model and writethem into a database (e.g., Cassandra). In some cases, at the same time,a notification is sent to all clients awaiting the configuration, e.g.,via RabbitMQ.

Control nodes not only acts as BGP speakers but also have aconfiguration handling module that reads configuration objects from thedatabase in the following ways. First, when a control node comes up (orrestarts), it connects to and reads all configuration directly from thedatabase. Second, a control node may be also a messaging client. Whenthere are updates to configuration objects, control nodes receive amessaging notification that lists the objects that have been updated.This again causes the configuration handling module to read objects fromthe database.

The configuration handling module reads configuration objects for boththe control plane (BGP related configuration) and the vRouter forwardingplane. The configuration may be stored as a graph with objects as nodesand relationships as links. This graph can then be downloaded to theclients (BGP/cRPD and/or vRouter agent).

In accordance with techniques of this disclosure, the conventionalconfiguration API server and messaging service are in some examplesreplaced by Kube api-server (API server 300 and custom API server 301)and the previous Cassandra database by etcd in Kubernetes. With thischange, clients interested in configuration objects can directly do awatch on the etcd database to get updates rather than rely on RabbitMQnotifications.

Controller Orchestration for CRPD

BGP configuration can be provided to cRPDs 324. In some examples, cRPDcontroller 720 may be a Kubernetes controller catered to the to developits own controller catered to the Kubernetes space and implements CRDsrequired for orchestration and provisioning cRPDs 324.

Distributed Configuration Handling

As mentioned earlier in this section, the configuration handling modulemay be part of control nodes 232. It reads configuration directly from adatabase, converts the data into JSON format and stores it in its localIFMAP database as a graph with objects as nodes and the relationshipbetween them as links. This graph then gets downloaded to interestedvirtual router agents 514 on the compute nodes via XMPP. Virtual routeragent 514 constructs the IFMAP based dependency graph locally as well tostore these objects.

IFMAP as an intermediate module and the need for storing a dependencygraph can be avoided by having the virtual router agents 514 directly doa watch on the etcd server in API server 300. The same model can be usedby cRPD 324 running on the compute nodes. This will avoid the need forthe IFMAP-XMPP config channel. A Kubernetes configuration client (forcontrol node 232) can be used as part of this config. This client canalso be used by the virtual router agents.

This can, however, increase the number of clients reading configurationfrom the etcd server, especially in clusters with hundreds of computenodes. Adding more watchers eventually causes the write rate to drop andthe event rate to fall short of the ideal. etcd's gRPC proxyrebroadcasts from one server watcher to many client watchers. The gRPCproxy coalesces multiple client watchers (c-watchers) on the same key orrange into a single watcher (s-watcher) connected to an etcd server. Theproxy broadcasts all events from the s-watcher to its c-watchers.Assuming N clients watch the same key, one gRPC proxy can reduce thewatch load on the etcd server from N to 1. Users can deploy multiplegRPC proxies to further distribute server load. These clients share oneserver watcher; the proxy effectively offloads resource pressure fromthe core cluster. By adding proxies, etcd can serve one million eventsper second.

DNS/Named in the SDN Architecture

In previous architectures, DNS services are provided by contrail-dns andcontrail-named processes working in conjunction to provide DNS servicesto VMs in the network. Named acts as the DNS server that provides animplementation of the BIND protocol. contrail-dns receives updates fromthe vrouter-agent and pushes these records to named.

Four DNS modes are supported in the system, IPAM configuration canselect the DNS mode required.

1. None—No DNS support for the VMs.

2. Default DNS server—DNS resolution for the VMs is done based on thename server configuration in the server infrastructure. When a VM gets aDHCP response, the subnet default gateway is configured as the DNSserver for the VM. DNS requests that the VM sends to this defaultgateway are resolved via the (fabric) name servers configured on therespective compute nodes and the responses are sent back to the VM.

3. Tenant DNS server—Tenants can use their own DNS servers using thismode. A list of servers can be configured in the IPAM, which are thensent in the DHCP response to the VM as DNS server(s). DNS requests thatthe VM sends are routed as any other data packet based on the availablerouting information.

4. Virtual DNS server—In this mode, the system supports virtual DNSservers, providing DNS servers that resolve the DNS requests from theVMs. We can define multiple virtual domain name servers under eachdomain in the system. Each virtual domain name server is anauthoritative server for the DNS domain configured.

The SDN architecture described herein is efficient in the DNS servicesit provides. Customers in the cloud native world to be benefited by thevaried DNS services. However, with the move to next generationKubernetes-based architecture, the SDN architecture may instead usecoreDNS for any DNS services.

Data Plane

The Data plane consists of two components: virtual router agent 514 (akaAgent) and virtual router forwarding plane 506 (also referred to as DPDKvRouter/Kernel vRouter) Agent 514 in the SDN architecture solution isresponsible to manage the data plane component. Agent 514 establishesXMPP neighborships with two control nodes 232, then exchanges therouting information with them. The vRouter agent 514 also dynamicallygenerates flow entries and injects them into the virtual router 506.This gives instructions to virtual router 506 about how to forwardpackets.

Responsibilities of Agent 514 may include: Interface with control node232 to obtain the configuration. Translate received configuration into aform that datapath can understand (e.g., translate the data model fromIFMap to the data model used by datapath). Interface with control node232 to manage routes. And collect and export statistics from datapath toa monitoring solution.

Virtual router 506 implements the data-plane functionality that mayallow a virtual network interface to be associated with a VRF. Each VRFhas its own forwarding and flow tables, while the MPLS and VXLAN tablesare global within virtual router 506. The forwarding tables may containroutes for both the IP and MAC addresses of destinations and theIP-to-MAC association is used to provide proxy ARP capability. Thevalues of labels in the MPLS table are selected by virtual router 506when VM/Container interfaces come up and are only locally significant tothat vRouter. The VXLAN Network Identifiers are global across all theVRFs of the same virtual network in different virtual router 506 withina domain.

In some examples, each virtual network has a default gateway addressallocated to it, and each VM or container interface receives thataddress in the DHCP response received when initializing. When a workloadsends a packet to an address outside its subnet, it will ARP for the MACcorresponding to the IP address of the gateway, and virtual router 506responds with its own MAC address. Thus, virtual router 506 may supporta fully distributed default gateway function for all the virtualnetworks.

The following are examples of packet flow forwarding as implemented byvirtual routers 506.

Packet Flows Between VMs/Container Interface in the Same Subnet.

The worker node could be VM or Container Interface. In some examples,the packet processing proceeds as follows:

VM1/Container Interface needs to send a packet to VM2, so virtual router506 first looks up its own DNS cache for the IP address, but since thisis the first packet, there is no entry.

VM1 sends a DNS request to the DNS server address that was supplied inthe DHCP response when its interface came up.

The virtual router 506 traps the DNS request and forwards it to the DNSserver running in the SDN architecture controller.

The DNS server in the controller responds with the IP address of VM2

The virtual router 506 sends the DNS response to VM1

VM1 needs to form an Ethernet frame, so needs the MAC address for VM2.It checks its own ARP cache, but there is no entry, since this is thefirst packet.

VM1 sends out an ARP request.

The virtual router 506 traps the ARP request and looks up the MACaddress for IP-VM2 in its own forwarding tables and finds theassociation in the L2/L3 routes that the controller sent it for VM2.

The virtual router 506 sends an ARP reply to VM1 with the MAC address ofVM2

A TCP timeout occurs in the network stack of VM1

The network stack of VM1 retries sending the packet, and this time findsthe MAC address of VM2 in the ARP cache and can form an Ethernet frameand send it out.

The virtual router 506 looks up the MAC address for VM2 and finds anencapsulation route. The virtual router 506 builds the outer header andsends the resulting packet to server S2.

The virtual router 506 on server S2 decapsulates the packet and looks upthe MPLS label to identify the virtual interface to send the originalEthernet frame into. The Ethernet frame is sent into the interface andreceived by VM2.

Packet Flow Between VMs in Different Subnets

In some examples, the sequence when sending packets to destinations in adifferent subnet is similar except that the virtual router 506 respondsas the default gateway. VM1 will send the packet in an Ethernet framewith the MAC address of the default gateway whose IP address wassupplied in the DHCP response that the virtual router 506 supplied whenVM1 booted. When VM1 does an ARP request for the gateway IP address, thevirtual router 506 responds with its own MAC address. When VM1 sends anEthernet frame using that gateway MAC address, the virtual router 506uses the destination IP address of the packet inside the frame to lookup the forwarding table in the VRF to find a route, which will be via anencapsulation tunnel to the host that the destination is running on.

FIG. 10 is a block diagram illustrating a visualization of exampleassociations between access control policies, roles, and subjects. Asshown in FIG. 10 , visualization 1400 may provide a view of accesscontrol policies associated with roles and role bindings that bindsubjects to the access control policies of roles associated with roles.

Namespace-scoped access control policy 1420 and namespace-scored accesscontrol policy 1422 may be namespace-scoped, in that namespace-scopedaccess control policy 1420 and namespace-scored access control policy1422 may be isolated to enabling access to resources within namespace1402 within a cluster. Meanwhile, cluster-scoped access control policy1424 may enable access to resources within a cluster, includingresources outside of namespace 1402.

Role 1414 is permitted to access resources within namespace 1402according to namespace-scoped access control policy 1420 and ClusterRole1416 is permitted to access resources within namespace 1402 according tonamespace-scoped access control policy 1422. Meanwhile, ClusterRole 1418is permitted to access resources within the cluster according tocluster-scoped access control policy 1424.

Role bindings can grant permissions defined in a role (e.g., the accesscontrol policy for the role) to a user or a set of users. As such,RoleBinding 1408 can bind subject 1406 to namespace-scoped accesscontrol policy 1420 of Role 1414, RoleBinding 1410 can bind subject 1406to namespace-scoped access control policy 1422 of ClusterRole 1416, andClusterRoleBinding 1412 can bind subject 1406 to cluster-scoped accesscontrol policy 1424 of ClusterRole 1418. If a role binding such asRoleBinding 1408 is bound to a missing subject, such as if RoleBinding1408 is not bound to any user, visualization 1400 may provide avisualization of a missing subject 1404 bound by RoleBinding 1408. Acomputing device, such as one or more config nodes 230 of networkcontroller 24, may output such visualization 1400 of access controlpolicies associated with roles and role bindings that bind subjects tothe access control policies of roles associated with roles for displayat, for example, user interface 244, to enable users (e.g.,administrators) to visualize access control policies of SDN architecture200.

FIG. 11 is a flowchart illustrating an example operation of networkcontroller 24 in SDN architecture 200 in accordance with the techniquesof the present disclosure. For convenience, FIG. 11 is described withrespect to FIGS. 1-10 .

In the example of FIG. 11 , One or more configuration nodes 230 ofnetwork controller 24 may receive a request to generate an accesscontrol policy for a role in a container orchestration system (1500).The one or more configuration nodes 230 include an applicationprogramming interface (API) server 300 to process requests foroperations on native resources of a container orchestration system andinclude a custom API server 301 to process requests for operations oncustom resources for SDN architecture configuration. The request mayspecify a plurality of functions of an aggregated API 402 provided bythe custom API server 301 and the API server 300.

One or more configuration nodes 230 of network controller 24 may executethe plurality of functions (1502). One or more configuration nodes 230of network controller 24 may log execution of the plurality of functionsin an audit log (1504). One or more configuration nodes 230 of networkcontroller 24 may parse the audit log to determine a plurality ofresources of the container orchestration system accessed from executingthe plurality of functions and, for each resource of the plurality ofresources, a respective one or more types of operations of the pluralityof actions performed on the respective resource from executing theplurality of functions (1506). Network controller 24 may create, basedat least in part on the parsed audit log, the access control policy forthe role that permits a role to perform, on each of the plurality ofresources, the respective one or more types of operations (1508).

Aspects of the present disclosure includes the following examples.

Example 1: A network controller for a software-defined networking (SDN)architecture system, the network controller includes processingcircuitry; and one or more configuration nodes configured for executionby the processing circuitry, wherein the one or more configuration nodesinclude an application programming interface (API) server to processrequests for operations on native resources of a container orchestrationsystem and include a custom API server to process requests foroperations on custom resources for SDN architecture configuration, to:receive a request to generate an access control policy for a role in acontainer orchestration system, wherein the request specifies aplurality of functions of an aggregated API provided by the custom APIserver and the API server; execute the plurality of functions; logexecution of the plurality of functions in an audit log; parse the auditlog to determine a plurality of resources of the container orchestrationsystem accessed from executing the plurality of functions and, for eachresource of the plurality of resources, a respective one or more typesof operations of a plurality of actions performed on the respectiveresource from executing the plurality of functions; and create, based atleast in part on the parsed audit log, the access control policy for therole that permits a role to perform, on each of the plurality ofresources, the respective one or more types of operations.

Example 2: The network controller of example 1, wherein to execute theplurality of functions, the one or more configuration nodes are furtherconfigured for execution by the processing circuitry to: perform a firstrespective one or more operations indicated by the plurality offunctions on each of a first one or more resources indicated by theplurality of functions; determine, based at least in part on the firstrespective one or more operations to be performed on each of the firstone or more resources, a second respective one or more operations to beperformed on each of a second one or more resources that are notindicated by the plurality of functions; and perform the secondrespective one or more operations on each of the second one or moreresources.

Example 3: The network controller of any of examples 1 and 2, wherein tolog the execution of the plurality of functions, the one or moreconfiguration nodes are further configured for execution by theprocessing circuitry to: record, for each function of the plurality offunctions, an event that indicates one or more resources accessed byexecuting the function and the respective one or more types ofoperations of performed on each of the one or more resources byexecuting the function.

Example 4: The network controller of any of examples 1-3, wherein toparse the audit log, the one or more configuration nodes are furtherconfigured for execution by the processing circuitry to: filter theaudit log based at least in part on timestamps of events recorded in theaudit log.

Example 5: The network controller of any of examples 1-4, wherein toparse the audit log, the one or more configuration nodes are furtherconfigured for execution by the processing circuitry to: filter theaudit log based at least in part on namespaces of events recorded in theaudit log.

Example 6: The network controller of any of examples 1-5, wherein toparse the audit log, the one or more configuration nodes are furtherconfigured for execution by the processing circuitry to: determine,based on the audit log, an association between each of the plurality ofresources and the respective one or more types of operations.

Example 7: The network controller of any of examples 1-6, wherein theone or more configuration nodes are further configured for execution bythe processing circuitry to: validate the access control policy for therole based at least in part by comparing the access control policy forthe role to a configured access control policy for the role.

Example 8: The network controller of any of examples 1-7, wherein thefunctions of the aggregated API include requests for operations on oneor more instances of custom resources for SDN architectureconfiguration, wherein each of the custom resources for SDN architectureconfiguration corresponds to a type of configuration object in the SDNarchitecture system.

Example 9: The network controller of any of examples 1-8, wherein thefunctions of the aggregated API include requests for operations oninstances of one or more native resources of the container orchestrationsystem.

Example 10: The network controller of any of examples 1-9, wherein thecontainer orchestration system comprises Kubernetes.

Example 11: The network controller of any of examples 1-10, wherein eachof the respective one or more operations include one or more of create,read, update, and delete (CRUD) operations.

Example 12: A method includes receiving, by processing circuitry of anetwork controller for a software-defined networking (SDN) architecturesystem, a request to generate an access control policy for a role in acontainer orchestration system, wherein the network controller includesan application programming interface (API) server to process requestsfor operations on native resources of a container orchestration systemand a custom API server to process requests for operations on customresources for SDN architecture configuration, and wherein the requestspecifies a plurality of functions of an aggregated API provided by thecustom API server and the API server executing, by the processingcircuitry, the plurality of functions; logging, by the processingcircuitry, execution of the plurality of functions in an audit log;parsing, by the processing circuitry, the audit log to determine aplurality of resources of the container orchestration system accessedfrom executing the plurality of functions and, for each resource of theplurality of resources, a respective one or more types of operations ofa plurality of actions performed on the respective resource fromexecuting the plurality of functions; and creating, by the processingcircuitry and based at least in part on the parsed audit log, the accesscontrol policy for the role that permits a role to perform, on each ofthe plurality of resources, the respective one or more types ofoperations.

Example 13: The method of example 12, wherein executing the plurality offunctions further comprises: performing, by the processing circuitry, afirst respective one or more operations indicated by the plurality offunctions on each of a first one or more resources indicated by theplurality of functions; determining, by the processing circuitry andbased at least in part on the first respective one or more operations tobe performed on each of the first one or more resources, a secondrespective one or more operations to be performed on each of a secondone or more resources that are not indicated by the plurality offunctions; and performing, by the processing circuitry, the secondrespective one or more operations on each of the second one or moreresources.

Example 14: The method of any of examples 12 and 13, wherein logging theexecution of the plurality of functions further comprises: recording, bythe processing circuitry and for each function of the plurality offunctions, an event that indicates one or more resources accessed byexecuting the function and the respective one or more types ofoperations of performed on each of the one or more resources byexecuting the function.

Example 15: The method of any of examples 12-14, wherein parsing theaudit log further comprises: filtering, by the processing circuitry, theaudit log based at least in part on timestamps of events recorded in theaudit log.

Example 16: The method of any of examples 12-15, wherein parsing theaudit log further comprises: filtering, by the processing circuitry, theaudit log based at least in part on namespaces of events recorded in theaudit log.

Example 17: The method any of examples 12-16, wherein parsing the auditlog further comprises: determining, by the processing circuitry andbased on the audit log, an association between each of the plurality ofresources and the respective one or more types of operations.

Example 18: The method of any of examples 12-17, further includesvalidating, by the processing circuitry, the access control policy forthe role based at least in part by comparing the access control policyfor the role to a configured access control policy for the role.

Example 19: The method of any of examples 12-18, wherein the functionsof the aggregated API include requests for operations on one or moreinstances of custom resources for SDN architecture configuration,wherein each of the custom resources for SDN architecture configurationcorresponds to a type of configuration object in the SDN architecturesystem.

Example 20: A non-transitory computer-readable medium includes receive arequest to generate an access control policy for a role in a containerorchestration system, wherein the request specifies a plurality offunctions of an aggregated API provided by the custom API server and theAPI server; execute the plurality of functions; log execution of theplurality of functions in an audit log; parse the audit log to determinea plurality of resources of the container orchestration system accessedfrom executing the plurality of functions and; for each resource of theplurality of resources, a respective one or more types of operations ofa plurality of actions performed on the respective resource fromexecuting the plurality of functions; and create, based at least in parton the parsed audit log, the access control policy for the role thatpermits a role to perform, on each of the plurality of resources, therespective one or more types of operations.

The techniques described herein may be implemented in hardware,software, firmware, or any combination thereof. Various featuresdescribed as modules, units or components may be implemented together inan integrated logic device or separately as discrete but interoperablelogic devices or other hardware devices. In some cases, various featuresof electronic circuitry may be implemented as one or more integratedcircuit devices, such as an integrated circuit chip or chipset.

If implemented in hardware, this disclosure may be directed to anapparatus such as a processor or an integrated circuit device, such asan integrated circuit chip or chipset. Alternatively or additionally, ifimplemented in software or firmware, the techniques may be realized atleast in part by a computer-readable data storage medium comprisinginstructions that, when executed, cause a processor to perform one ormore of the methods described above. For example, the computer-readabledata storage medium may store such instructions for execution by aprocessor.

A computer-readable medium may form part of a computer program product,which may include packaging materials. A computer-readable medium maycomprise a computer data storage medium such as random access memory(RAM), read-only memory (ROM), non-volatile random access memory(NVRAM), electrically erasable programmable read-only memory (EEPROM),Flash memory, magnetic or optical data storage media, and the like. Insome examples, an article of manufacture may comprise one or morecomputer-readable storage media.

In some examples, the computer-readable storage media may comprisenon-transitory media. The term “non-transitory” may indicate that thestorage medium is not embodied in a carrier wave or a propagated signal.In certain examples, a non-transitory storage medium may store data thatcan, over time, change (e.g., in RAM or cache).

The code or instructions may be software and/or firmware executed byprocessing circuitry including one or more processors, such as one ormore digital signal processors (DSPs), general purpose microprocessors,application-specific integrated circuits (ASICs), field-programmablegate arrays (FPGAs), or other equivalent integrated or discrete logiccircuitry. Accordingly, the term “processor,” as used herein may referto any of the foregoing structure or any other structure suitable forimplementation of the techniques described herein. In addition, in someaspects, functionality described in this disclosure may be providedwithin software modules or hardware modules.

1. A network controller for a software-defined networking (SDN)architecture system, the network controller comprising: processingcircuitry; and one or more configuration nodes configured for executionby the processing circuitry, wherein the one or more configuration nodesinclude an application programming interface (API) server to processrequests for operations on native resources of a container orchestrationsystem and include a custom API server to process requests foroperations on custom resources for SDN architecture configuration, to:receive a request to generate an access control policy for a role in acontainer orchestration system, wherein the request specifies aplurality of functions of an aggregated API provided by the custom APIserver and the API server; execute the plurality of functions; logexecution of the plurality of functions in an audit log; parse the auditlog to determine a plurality of resources of the container orchestrationsystem accessed from executing the plurality of functions and, for eachresource of the plurality of resources, a respective one or more typesof operations of a plurality of actions performed on the respectiveresource from executing the plurality of functions; and create, based atleast in part on the parsed audit log, the access control policy for therole that permits a role to perform, on each of the plurality ofresources, the respective one or more types of operations.
 2. Thenetwork controller of claim 1, wherein to execute the plurality offunctions, the one or more configuration nodes are further configuredfor execution by the processing circuitry to: perform a first respectiveone or more operations indicated by the plurality of functions on eachof a first one or more resources indicated by the plurality offunctions; determine, based at least in part on the first respective oneor more operations to be performed on each of the first one or moreresources, a second respective one or more operations to be performed oneach of a second one or more resources that are not indicated by theplurality of functions; and perform the second respective one or moreoperations on each of the second one or more resources.
 3. The networkcontroller of claim 1, wherein to log the execution of the plurality offunctions, the one or more configuration nodes are further configuredfor execution by the processing circuitry to: record, for each functionof the plurality of functions, an event that indicates one or moreresources accessed by executing the function and the respective one ormore types of operations of performed on each of the one or moreresources by executing the function.
 4. The network controller of claim1, wherein to parse the audit log, the one or more configuration nodesare further configured for execution by the processing circuitry to:filter the audit log based at least in part on timestamps of eventsrecorded in the audit log.
 5. The network controller of claim 1, whereinto parse the audit log, the one or more configuration nodes are furtherconfigured for execution by the processing circuitry to: filter theaudit log based at least in part on namespaces of events recorded in theaudit log.
 6. The network controller of claim 1, wherein to parse theaudit log, the one or more configuration nodes are further configuredfor execution by the processing circuitry to: determine, based on theaudit log, an association between each of the plurality of resources andthe respective one or more types of operations.
 7. The networkcontroller of claim 1, wherein the one or more configuration nodes arefurther configured for execution by the processing circuitry to:validate the access control policy for the role based at least in partby comparing the access control policy for the role to a configuredaccess control policy for the role.
 8. The network controller of claim1, wherein the functions of the aggregated API include requests foroperations on one or more instances of custom resources for SDNarchitecture configuration, wherein each of the custom resources for SDNarchitecture configuration corresponds to a type of configuration objectin the SDN architecture system.
 9. The network controller of claim 1,wherein the functions of the aggregated API include requests foroperations on instances of one or more native resources of the containerorchestration system.
 10. The network controller of claim 1, wherein thecontainer orchestration system comprises Kubernetes.
 11. The networkcontroller of claim 1, wherein each of the respective one or moreoperations include one or more of create, read, update, and delete(CRUD) operations.
 12. A method comprising: receiving, by processingcircuitry of a network controller for a software-defined networking(SDN) architecture system, a request to generate an access controlpolicy for a role in a container orchestration system, wherein thenetwork controller includes an application programming interface (API)server to process requests for operations on native resources of acontainer orchestration system and a custom API server to processrequests for operations on custom resources for SDN architectureconfiguration, and wherein the request specifies a plurality offunctions of an aggregated API provided by the custom API server and theAPI server executing, by the processing circuitry, the plurality offunctions; logging, by the processing circuitry, execution of theplurality of functions in an audit log; parsing, by the processingcircuitry, the audit log to determine a plurality of resources of thecontainer orchestration system accessed from executing the plurality offunctions and, for each resource of the plurality of resources, arespective one or more types of operations of a plurality of actionsperformed on the respective resource from executing the plurality offunctions; and creating, by the processing circuitry and based at leastin part on the parsed audit log, the access control policy for the rolethat permits a role to perform, on each of the plurality of resources,the respective one or more types of operations.
 13. The method of claim12, wherein executing the plurality of functions further comprises:performing, by the processing circuitry, a first respective one or moreoperations indicated by the plurality of functions on each of a firstone or more resources indicated by the plurality of functions;determining, by the processing circuitry and based at least in part onthe first respective one or more operations to be performed on each ofthe first one or more resources, a second respective one or moreoperations to be performed on each of a second one or more resourcesthat are not indicated by the plurality of functions; and performing, bythe processing circuitry, the second respective one or more operationson each of the second one or more resources.
 14. The method of claim 12,wherein logging the execution of the plurality of functions furthercomprises: recording, by the processing circuitry and for each functionof the plurality of functions, an event that indicates one or moreresources accessed by executing the function and the respective one ormore types of operations of performed on each of the one or moreresources by executing the function.
 15. The method of claim 12, whereinparsing the audit log further comprises: filtering, by the processingcircuitry, the audit log based at least in part on timestamps of eventsrecorded in the audit log.
 16. The method of claim 12, wherein parsingthe audit log further comprises: filtering, by the processing circuitry,the audit log based at least in part on namespaces of events recorded inthe audit log.
 17. The method of claim 12, wherein parsing the audit logfurther comprises: determining, by the processing circuitry and based onthe audit log, an association between each of the plurality of resourcesand the respective one or more types of operations.
 18. The method ofclaim 12, further comprising: validating, by the processing circuitry,the access control policy for the role based at least in part bycomparing the access control policy for the role to a configured accesscontrol policy for the role.
 19. The method of claim 12, wherein thefunctions of the aggregated API include requests for operations on oneor more instances of custom resources for SDN architectureconfiguration, wherein each of the custom resources for SDN architectureconfiguration corresponds to a type of configuration object in the SDNarchitecture system.
 20. A non-transitory computer-readable mediumcomprising instructions for causing processing circuitry of a networkcontroller that executes one or more configuration nodes that include anapplication programming interface (API) server to process requests foroperations on native resources of a container orchestration system andinclude a custom API server to process requests for operations on customresources for SDN architecture configuration to: receive a request togenerate an access control policy for a role in a containerorchestration system, wherein the request specifies a plurality offunctions of an aggregated API provided by the custom API server and theAPI server; execute the plurality of functions; log execution of theplurality of functions in an audit log; parse the audit log to determinea plurality of resources of the container orchestration system accessedfrom executing the plurality of functions and, for each resource of theplurality of resources, a respective one or more types of operations ofa plurality of actions performed on the respective resource fromexecuting the plurality of functions; and create, based at least in parton the parsed audit log, the access control policy for the role thatpermits a role to perform, on each of the plurality of resources, therespective one or more types of operations.